// maybe motif instead of thread?

// Email Address validation example
thread = start_thread(EmailAddressValidation, "b@g.com");
thread = advance_thread(AddressValidation, token, code);
session = complete_thread(thread.id);

// Sms validation example
thread = start_thread(SmsAddressValidation, "12133447460");
thread = advance_thread(SmsAddressValidation, token, code);

// New passphrase
credential = create_credential(Passphrase, "b@g.com", "p4ssw0rd");
thread = start_thread(Passphrase, "b@g.com", "p4ssw0rd");
session = complete_thread(thread.id);

// New Totp
credential = create_credential(Totp);
thread = start_thread(Totp, code);
session = complete_thread(thread.id);

// New OneTimeCodes
credential = create_credential(OneTimeCode);
thread = start_thread(OneTimeCodes, code);
session = complete_thread(thread.id);

// MFA example which requires totp after email
thread = start_thread(Passphrase, "b@g.com", "p4ssw0rd");
Thread { Proof: { credential: [totp] } }
thread = advance_thread(Totp, code);
session = complete_thread(thread.id);


// REST entities
Identity
Credential
Address
Motif
Session

// example
POST /api/auth/email-validation
motif = start_motif(EmailAddress, "b@g.com", None)
--> an email has been sent with this motif.id + code and stuff
user clicks on email
GET /api/auth/email-validation/complete?motif_id=1234
session = complete_thread(motif_id)

under the hood, it looks up the thread_id, sees that it belongs to an email validation, validates the email, creates a new identity if it's not already attached, creates a session and returns that session.

GET /oidc/provider?state=123444 -- state validated by client
POST /api/auth/oidc { data ... }
motif = start_motif(Oidc, access_token, data)
session = complete_motif(motif.id)