Sign in
scrypt-hashed password → JWT access + rotating refresh, held in httpOnly cookies by the app server. The token is never exposed to page JavaScript.
Demo users (password password123): admin@acme.test · priya.maker@acme.test · rahul.checker@acme.test