Service-dependent authentication filter
The browser needs to know what authentication token to choose for a particular query.
After unlocking of the staff PGP private key for a new session, the browser should transparently authenticate and gather tokens for with all the different services it knows about.
All queries needs to pass through this authentication component, so that tokens can be automatically refreshed as they expire.
Tokens should be filed under the corresponding "HTTP realm" the services announces.
This implies that the browser also needs to now which URLs match to which "realms."
Edited by Louis Holbrook