FoN uses three distinct authentication mechanisms, depending on the endpoint you’re calling. Most endpoints rely on a session cookie, a small set of token-management endpoints accept a JWT Bearer token, and uploads via the v1 API accept a long-lived API token.
Mechanism
How it’s sent
Used by
Session Cookie (auth-token)
Cookie: auth-token=<jwt>
Almost everything: voting, tags, profile, uploads (non-v1), MFA, password management, logout, etc.
JWT Bearer Token
Authorization: Bearer <jwt>
Only /api/auth/tokens, /api/auth/tokens/generate, and /api/auth/tokens/{id}
When you log in (or complete an OAuth flow), the API sets a secure HTTP-only cookie named auth-token containing a JWT, valid for 24 hours. This cookie is automatically sent by browsers with subsequent requests, and is what the vast majority of endpoints check via getCookie(event, 'auth-token').
Session cookies are automatically managed by the browser. For non-browser clients (scripts, curl, etc.), you can authenticate the same way by sending the JWT from the login response as a cookie: Cookie: auth-token=YOUR_JWT_TOKEN.
The same JWT returned from login can also be passed as a Bearer token, but only for the token-management endpoints (/api/auth/tokens, /api/auth/tokens/generate, and /api/auth/tokens/{id}). These endpoints are how you generate and manage long-lived API tokens.
API tokens are long-lived, raw 64-character hex strings designed for programmatic access. They’re ideal for scripts, bots, and integrations, and are accepted only by /api/v1/upload.