@barrett so somehow you can request tokens which authenticates you. Each token can only be used once.

But somehow the server doesn't know who the tokens were generated for, only that they're valid. And you use a unique token for each request. But the tokens can't even be linked to the same user by any method either.

The tokens can't be forged. I don't understand how this works yet. Super weird.