Skip to main content
GPU Outlet uses session cookies for authentication. No API tokens, no JWTs, no client secrets to leak — just an opaque sid cookie set after the user authenticates. After a successful sign-in (any path), the server sets: 
Set-Cookie: sid=<opaque 256-bit value>;
  HttpOnly; Secure; SameSite=Lax;
  Path=/; Max-Age=2592000
  • HttpOnly — JavaScript can’t read it; XSS can’t exfiltrate it
  • Secure — never sent over plain HTTP
  • SameSite=Lax — sent on top-level navigations, not in cross-site iframes
  • Max-Age — 30 days, sliding (refreshes on each authenticated request)
For browser clients, the cookie is set and sent automatically. For curl / scripts: 
curl https://gpuoutlet.ai/v1/auth/me --cookie "sid=$YOUR_SID"
You can copy your sid value from DevTools → Application → Cookies on gpuoutlet.ai if you need to script against the API as yourself.

Email OTP flow

  • intent is login or signup. Used for: rate-limiting policy, signup- specific telemetry, and the welcome screen heuristic.
  • created in the request-code response tells the client whether this is a brand-new account (true) or an existing one (false). The dashboard uses it to skip the new-user welcome flow for returning users.

OAuth (Google, GitHub)

If the email isn’t verified at the provider, we 302 to /login?error=oauth_no_email.

Logging out

curl -X POST https://gpuoutlet.ai/v1/auth/logout --cookie "sid=$SID"
# Set-Cookie: sid=; Max-Age=0
# {"ok":true}
Server-side, the session record is hard-deleted. Subsequent requests with that sid return 401.

Getting the current user

curl https://gpuoutlet.ai/v1/auth/me --cookie "sid=$SID"
Response (signed in)
{
  "user": {
    "id": "usr_01H…",
    "email": "you@example.com",
    "createdAt": "2026-06-07T08:14:22Z"
  },
  "expiresAt": "2026-07-07T08:14:22Z"
}
Response (signed out)
{ "error": "unauthorized", "message": "Not signed in" }
Status 401 in the signed-out case.

Cross-origin requests

The API enforces Origin checks on every mutating endpoint. If you’re calling from a custom domain, contact us to whitelist it. For typical use (dashboard, server-to-server with the user’s cookie), there’s nothing to configure.