The API uses refresh token rotation (RTR) to grant self-contained access tokens. Access tokens can't be invalidated for performance reasons, therefore their lifespan is limited. By the nature of an API, CSRF tokens aren't used. CORS headers are intentionally completely relaxed to faccilitate automation and third party clients.
This is the authentication flow as seen from the client, taking into account the possibility that there may be multiple clients (tabs) sharing a session.