sequenceDiagram
    participant Admin as Admin Web
    participant API as Widget API
    participant DB as DynamoDB
    
    Admin->>API: POST /admin/users/login<br/>{username, password}
    API->>DB: Query users table<br/>(GSI: UsernameIndex, username)
    DB-->>API: User data (password_hash)
    API->>API: Verify password (bcrypt)
    API->>API: Create JWT token<br/>(expires_in = ACCESS_TOKEN_EXPIRE_MINUTES, default 10080m = 7 days)
    API-->>Admin: {access_token, token_type, expires_in}
    
    Note over Admin: Lưu token vào localStorage
    
    Admin->>API: GET /admin/sites<br/>Authorization: Bearer {token}
    API->>DB: Check token_blacklist table
    DB-->>API: Token not found (valid)
    API->>API: Verify JWT signature
    API->>DB: Query sites table
    DB-->>API: Sites list
    API-->>Admin: Sites data (200)