Native ASWebAuthenticationSession for the OAuth flow with PKCE (SHA-256 challenge). Refresh tokens are stored in macOS Keychain (kSecAttrAccessibleWhenUnlocked), access tokens are never persisted — refreshed on demand. No custom WebView, no embedded browser, no token stored in UserDefaults or on disk. The only things in UserDefaults are the account email list and display names.