Validate JWT and issue session token

Open in Claude
Validates JWT from auth server and issues session token. **JWT Validation (security-critical order):** 1. Signature verification (ECDSA P-256) 2. Audience check (must match device serial number) 3. POH expiration check (`exp_poh` vs current POH) 4. Nonce validation (single-use, must be pending) **Token Usage Types:** - `cookie`: Sets HTTP-only cookie, returns success message - `bearer`: Returns session token in body, no cookie set **Security Properties:** - All validation failures return HTTP 401 with no information leakage - Nonce marked as used after successful validation - Session tokens expire based on POH, not wall-clock time - Cookie security: `http_only=True`, `same_site='Strict'`, `secure=True` (HTTPS)

Request

This endpoint expects an object.
tokenstringRequired

JWT signed by auth server (ECDSA P-256)

token_usageenumRequired

Token usage type:

  • cookie: Session token delivered via HTTP-only cookie (browser clients)
  • bearer: Session token delivered via Authorization Bearer header (API clients)

Response

Login successful (bearer token mode)

tokenstringformat: "^[A-Za-z0-9_-]{22}$"

Session token for bearer authentication (base64url, 22 chars)

Errors

400
Bad Request Error
401
Unauthorized Error