blazor authentication service (WEB Api server)

using Application.Users;
using MediatR;
using Microsoft.AspNetCore.Mvc;
using System.Xml.Linq;
using Infrastructure.Service;

namespace WebApi.Controllers;


[ApiController]
[Route("api/auth")]
public sealed class UserController(IMediator mediator) : ControllerBase
{
    [HttpPost("register")]
    public async Task<ActionResult> RegisterAsync([FromBody] RegisterRequest request, CancellationToken ct)
    {
        var command = new RegisterUserCommand(request.Name, request.Email);
        var userId = await mediator.Send(command, ct);

        return Ok(new { UserId = userId });

    }

    [HttpPost("login")]
        public async Task<ActionResult> AuthenticateAsync([FromBody] LoginRequest request, CancellationToken ct)
        {
            var command = new LoginUserCommand(request.Name, request.Email);
            var user = await mediator.Send(command, ct);

            if (user == null)
            {
                return Unauthorized("Invalid credentials.");
            }

            var token = JwtGenerator.GenerateToken(user);
            return Ok(new { Token = token });
        }
}

//I prefer to use Serilog + [Logmasked] attribute to be sure that data can't be leaked  
public sealed record RegisterRequest (string Name,string Email);
public sealed record LoginRequest (string Name,string Email);