Credentials are validated against PostgreSQL and a JWT is returned, which the frontend stores in localStorage as allminds_token and sends as Authorization: Bearer <token> on every subsequent request ...