- authentication
	- "who are you?"
	- password hashing with argon2
	- JWT (15 min access) with refresh (30 days)
	- identity dependencies (current_user_claims, optional_user, get_current_user_id, oauth2_scheme)
	- room for growth: OAuth/SSO, API-tokens for third-party apps, 2FA, refresh-token rotation, impersonation