POST /api/auth with action: register, login, logout
GET /api/auth with Authorization header to validate