I wasn’t sure, which is why I left it to one side and did basic auth first. In that case, you basicauth once, receive a session cookie, and then send that on every request, instead of re-authing every request. So in that case the thing we’re caching is a cookie file, which contains tokens and expiry info and is well understood.