Signup & login

The setup wizard lets you fill in the bot config first, without signing up. After you finish and see the preview, the signup wall appears. We do this because we want you to see the value first, then pay.

Fields on /register: • **Name** (optional). • **Email** — required; format is validated, disposable domains are blocked. • **Password** — minimum **6** characters. • **Confirm password** — must match. There's a rate limit of 5 registrations per minute per IP. After "Sign up" we send a 6-digit code to your email — enter it on the next screen. Below the "Create account" button there's an "or" divider and a "Sign up with Google" button — described in the next step.

Second button on /register and /login — "Sign in with Google". Click → Google account picker → you come back logged in. Scope is `openid email profile` (different from the Google Calendar OAuth, which is for the calendar). The Google email is auto-verified — no 6-digit code needed. If you already have an email/password account and switch to Google with the same email — both methods merge automatically (we keep the existing user row and add `oauth_provider=google` and `oauth_provider_id`).

On /login: email + password (with a "Show password" toggle, a "Remember me" checkbox and a "Forgot password?" link) or the Google button. Rate limit: 10 attempts/min per IP. If you try to log in with a password to a Google-only account — you get a specific "OAUTH_ONLY" error and the UI points you to the Google button.

On successful login we set an httpOnly cookie `rai_session` — a JWT signed with HMAC-SHA256, 30-day TTL. With "Remember me" the cookie persists; without it, it's session-only. Logout: `POST /api/auth/logout` (deletes the cookie).