[recursivedoubts]

Authentication works the normal way: you login via a login screen and that typically would establish a session cookie.

You can also use events to hook in CRSF tokens if you need to do so.

But it tries to use the original security model of the web as much as possible.