@verius Specifically, just so you know, the problem there is that the user login information isn't persisted at all for security reasons, so it has no real way to know the credentials are valid unless you're already logged in, or you're logging in _at that time_.

It's probably still a good idea to prevent shifting-style attacks to make sure it's the user they say they are, but this is returned by that end point.

In other words, don't assume its okay just because its a 200 code and not a client error, inspect what the end point has returned.