Start passwordless registration (sends email code). Existing accounts may return 409/422 — callers should fall back to requestLoginCode.
Request a one-time login code for an existing user.
Verify email + code and return session tokens (+ raw user when present).
Hand-maintained passwordless helpers bound to an HttpClient (typically
client.httpwith a publishable key header set).