# 5.3.2 User Authentication and Session Handling

This diagram separates human user authentication from device-level authentication.

```mermaid
flowchart LR
    User[User in Browser]
    AuthAPI[/Better Auth Endpoints/]
    Session[(session table)]
    Users[(users table)]
    Accounts[(account table)]
    DeviceReg[/Device Registration API/]
    DeviceToken[Signed Device Token]
    DeviceAPI[/Device Auth Routes/]

    User -->|sign up / sign in| AuthAPI
    AuthAPI --> Users
    AuthAPI --> Accounts
    AuthAPI --> Session
    Session -->|cookie-backed session| User

    User -->|authenticated session| DeviceReg
    DeviceReg -->|register browser as camera/client| DeviceToken
    DeviceToken --> DeviceAPI

    classDef auth fill:#e8f1ff,stroke:#2563eb,stroke-width:2px,color:#111827;
    classDef data fill:#fff7e8,stroke:#d97706,stroke-width:2px,color:#111827;
    class AuthAPI,DeviceReg,DeviceAPI,DeviceToken auth;
    class Session,Users,Accounts data;
```