A short lived cookie is set for the temporary JWT. The cookie will be
deleted once the token is manually refreshed.

Because the API's callback isn't directly called by the frontend, it
doesn't have access to the response. I found three options to pass
authentication to the frontend: via URL (query param/fragment
identifier), JavaScript in the callback response or a short lived
cookie. The cookie is easy to implement and doesn't require any
knowledge about the frontend.