Demo only. The endpoints under server/api/ simulate a real ClientBE. In production your backend owns the CIBA confidential client and the receipt-introspection step.
Sign in first
Web-tx-signing calls AuthServer with the user's JWT. Visit /login first.