Ah yes. `phx.gen.auth` generates a cookie-based auth system, which is fine for the :browser pipeline but it's not generally what you want for a JSON API.

The Phoenix docs include a suggestion for how you can extend `phx.gen.auth` to add token-based authentication to your API: https://hexdocs.pm/phoenix/api_authentication.html

(No, this isn't "rolling your own auth" either, it's using someone else's pre-written auth code.)