auth-and-2fa

docs/backend/auth-and-2fa.md

---
title: Auth + 2FA
---

Auth is username/password (Argon2id) with enforced TOTP-based 2FA.

## Flow

1. Register
2. Setup TOTP (QR)
3. Enable TOTP
4. Login requires TOTP code
5. Access + refresh tokens (refresh rotation stored hashed)