openapi and docs

Author: while1618

backend/spring-boot/src/main/resources/static/openapi.yml

@@ -828,13 +828,12 @@ components:
             properties:
               token:
                 type: string
-                format: JWT
               password:
                 type: string
               confirmPassword:
                 type: string
           example:
-            token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlcyI6WyJVU0VSIl0sImlzc3VlZEF0IjoiMjAyMS0xMC0yMFQxNDozMzo0NC43MDcyOTMzMDlaIiwiZXhwIjoxNjM0NzQxMzI0LCJ1c2VySWQiOjJ9.uXOVA1q-o2DtHmwBAzEfqEm8GLpAhXrYo0rlZ_6NFbBGILhkV74x-Iu9W2uSfSlwp1IfKPCHlR6zWVPvAbhWVw
+            token: 550e8400-e29b-41d4-a716-446655440000
             password: qwerty321
             confirmPassword: qwerty321
     VerificationEmailRequest:
@@ -863,9 +862,8 @@ components:
             properties:
               token:
                 type: string
-                format: JWT
           example:
-            token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlcyI6WyJVU0VSIl0sImlzc3VlZEF0IjoiMjAyMS0xMC0yMFQxNDozMzo0NC43MDcyOTMzMDlaIiwiZXhwIjoxNjM0NzQxMzI0LCJ1c2VySWQiOjJ9.uXOVA1q-o2DtHmwBAzEfqEm8GLpAhXrYo0rlZ_6NFbBGILhkV74x-Iu9W2uSfSlwp1IfKPCHlR6zWVPvAbhWVw
+            token: 550e8400-e29b-41d4-a716-446655440000
     PatchProfileRequest:
       description: Patch profile request
       required: true

docs/src/content/how-it-works/auth.mdx

@@ -107,22 +107,19 @@ Users can sign in with their Google account as an alternative to email/password
 
 ### Account Verification
 
-When a user signs up, a JWT with the purpose `verify_email_token` is created and sent to the user via email as part of a verification link.
+When a user signs up, a random opaque token (UUID) is generated and stored in Redis alongside the user's ID. The token is sent to the user via email as part of a verification link. When the user clicks the link, the token is looked up in Redis to identify the user, then immediately deleted (one-time use). The token automatically expires via Redis TTL if unused.
 
 ### Password Reset
 
-When a user requests a password reset, a JWT with the purpose `reset_password` is generated and sent to the user via email as part of a reset link.
+When a user requests a password reset, a random opaque token (UUID) is generated and stored in Redis alongside the user's ID. The token is sent to the user via email as part of a reset link. When the user submits a new password with the token, it is looked up in Redis, then immediately deleted (one-time use). The token automatically expires via Redis TTL if unused.
 
 ### JWT Structure
 
-All JWTs share the following structure:
+Access and refresh tokens are JWTs with the following structure:
 
 - **issuer**: ID of a user who created the token.
 - **issuedAt**: Timestamp of when the token was created.
 - **expireAt**: Timestamp of when the token expires.
-- **purpose**: Describes the token's purpose (`access_token`, `refresh_token`, `reset_password_token`, `verify_email_token`).
-
-Access and refresh tokens include additional claims:
-
+- **purpose**: Describes the token's purpose (`access_token`, `refresh_token`).
 - **roles**: Represents the roles assigned to the user.
 - **deviceId**: Identifies the device/session the token belongs to.