Uses POST /api/auth/login/ on your configured API origin. Coordinate cookie refresh + CSRF with the sibling API (AUTH_CONTRACT.md / AUTH_WEB.md).
POST /api/auth/login/
AUTH_CONTRACT.md
AUTH_WEB.md