POST /api/auth/login and cookie sessions.
POST /api/admin/change-password. Session is invalidated by design; you must login again.
/api/admin/users, /api/admin/users/<id>/reset-password| ID | Username | Role | Active | Force PW | Last login | Actions |
|---|
force_password_change true and revokes sessions (by backend safety rules).