# API Contract: Auth

**Base path**: `/api/v1/auth`  
**Authentication**: HTTP Basic (all endpoints in this group require valid credentials)

---

## GET /api/v1/auth/check

Verifies that the supplied HTTP Basic credentials are valid. Used by the frontend after a page refresh to confirm stored credentials are still accepted before rendering the app.

### Request

```
GET /api/v1/auth/check
Authorization: Basic <base64(username:password)>
```

No request body.

### Response — 200 OK

```json
{
  "username": "neurosurgeon"
}
```

| Field | Type | Description |
|-------|------|-------------|
| `username` | string | The authenticated username |

### Response — 401 Unauthorized

Spring Security returns a standard 401 with `WWW-Authenticate: Basic realm="Realm"` header. No JSON body.

### Behaviour

- Returns `200` with the authenticated username if credentials are valid.
- Returns `401` if credentials are absent or incorrect.
- No side effects (idempotent, read-only).

---

## Notes

- All other existing endpoints (`/api/v1/books`, `/api/v1/chat`, etc.) continue to require HTTP Basic Auth as before.
- The frontend sends `Authorization: Basic ...` on every request via the axios request interceptor.
- A global axios response interceptor detects `401` responses and redirects the user to `/login`.