I spend a lot of time reading about JWTs and refresh tokens. At some point I wanted something I could run, break, and fix – a NestJS API that went past “hello world” and forced me to think about email links, cookies, databases, and deployment, not just decorators. That became a small auth + tasks backend: register, email verification, login, refresh, logout, forgot/reset password, role-based routes, throttling on login, Drizzle + PostgreSQL, Resend for mail, and Swagger so I could share the contract without narrating every endpoint. Why this shape Tutorial APIs often stop at POST /login returning a token. Real apps need the boring parts too: invalidating sessions, verifying email, resetting passwords, and making sure production URLs in emails point at the right host.…