Authentication
In the QuickSkill product itself (the app you received): auth is
email-OTP login with rotating refresh tokens, backed by JWT_SECRET. In
development, OTP codes print to the API console — no email round-trip
needed unless RESEND_API_KEY is set.
In this distribution portal (where you bought QuickSkill from): sign-in is a magic-link email, backed by Auth.js with a Drizzle/MariaDB adapter and JWT sessions. These are two separate systems — the portal only exists to deliver your repository; your shipped product's auth lives entirely in the repository you received.
Don't confuse the two .env files: the portal's environment variables
(NEXTAUTH_SECRET, SMTP_*, etc.) never appear in your product; your
product's api/.env and app/.env are the ones documented in
Get started.