Changed all API endpoints to validate os_xxx tokens via SHA-256 hash
lookup in the database instead of expecting JWT format.
This allows tokens generated in the settings page (Ajustes → Dispositivos)
to work correctly with the Android app.
- /api/auth/device/verify: validates os_xxx tokens via hash
- /api/inbox: uses hash-based auth
- /api/inbox/batch: uses hash-based auth
- No token expiration (tokens valid until revoked)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- POST /api/inbox - Create single inbox item from notification
- POST /api/inbox/batch - Create multiple inbox items at once (max 50)
- Validates input with Zod schemas
- Requires API token authentication
- Returns created/updated items with IDs for client sync
