S2 currently has one API route /api/projects/[id]/token that requires authentication.
Plans are in place to add more routes.

SAB and co currently use Auth0 directly to get an authorization token, but this token is not directly compatible with S2.
We will need to add multiple endpoints to handle getting an authorization token through S2 instead.

Proposed Changes, per discussion in Discord:

• SAB opens https://app.scriptoria.io/api/auth/token?challenge=hash(random_str)&application=scriptureappbuilder which is redirected to https://app.scriptoria.io/login?redirect=/api/auth/token
• After login, the /api/desktop/token route redirects to scriptureappbuilder://auth/token?code=SOME_TOKEN which is a code (randomly) newly generated. This code is not considered secure and expires in say 5 minutes.
• The app uses this code to request a native token from, say, POST /api/auth/exchange data: { "verify": "random_str", "code": "SOME_TOKEN" }
• The token is only able to be used for native application tasks, such as fetching a project s3 token.
• The token expires after some time
• Will need to make sure search params persist in URL when redirecting to /login
• S2 will need to temporarily store the hashed random_str