New accounts must verify their email with a time-limited OTP before the account is created.

Signing in creates a revocable 30-day session stored in an HTTP-only cookie.

In development, OTPs are printed to the server terminal unless email delivery is configured.