cosmetics sync. auth (once per launcher session): POST /api/auth/login {uuid, username} -> {token, uuid, username} identity is verified against Mojang and bound to a signed session JWT session (mod opens these on game-server-join, closes on leave): POST /api/session/join {session_id} POST /api/session/leave POST /api/session/heartbeat GET /api/stream [SSE: cosmetic_changed / player_joined / player_left] cosmetic state: PUT /api/cosmetics {equipped: {SLOT: id, ...}, settings: {id: [...]}} GET /api/cosmetics/{uuid} POST /api/cosmetics/batch {uuids: [...]} misc: GET /api/slots GET /api/stats all endpoints except /api/auth/* and / require Authorization: Bearer .