Client makes an API call to get a one time use auth string. It asks for nip07 to sign an event with this string in the content. It verifies the event is valid for the user, then gives them a persistent session with a jwt cookie.