Request a one-time code by email, then verify to receive an access token and refresh cookie.
Session storage keys: auth_token, auth_token_expires, auth_user. Refresh cookie is set by server.