There's a new feature flag called api-session-auth that I'd like to set to "true" or "1" so that the SPA can log in to the backend: http://preview.guides.gdcc.io/en/develop/installation/config.html#feature-flags

It should definitely be unset or explicitly off by default, because it's a potential security risk. (This is just for demos until we have bearer token support for the backend and the frontend.)

Please let me know if we can add this. Thanks! ❤️