API and discovery
Authentication
Understand Mermail app sessions and request protection.
Mermail uses first-party app sessions for console users. The API creates an app session after the identity flow succeeds, then uses session cookies for later app requests.