Documentation
How sessions work
There are two distinct tokens — don't mix them up:
- App-session token — returned by
/initassession. Send it asAuthorization: Bearer <token>on every other client call. Valid ~1 hour; re-init when it expires. - User session id — a UUID returned by
/register,/loginand/licensein thesessionfield. Pass it in the body of/check,/varand/fileto prove the user is still logged in.