Demo only. The endpoints under server/api/ simulate a real ClientBE. In production your backend owns the CIBA confidential client and the receipt-introspection step.
CIBA login
Type a phone number and approve on your phone. The browser polls the BFF until the AuthServer-issued JWT lands.