No idea if this is at all close to being useful...
A while back, I built a capability-based web console. Think like AWS Console... single console providing access to different services. Each service was responsible for serving its own UI and was guaranteed to be served on a specific URL path (the console itself was a service which other services registered with and reserved a url path on). The console itself functioned as a proxy, so it would accept a browser request for, say /services/<service name>, but then proxy that request to <service name> on the backend and respond with whatever UI the backing service sent.
This allowed for scoping service-specific capabilities into HTTP Only, Secure cookies, bound to specific paths. The service knew what path it was on, so it could update its own capabilities in the cookie as required. This mechanism provided the web UI experience from login to logout.
In order to use capabilities gained out of band of this mechanism (someone copy and pasting something), the console also had a /proxy/<service_name> API endpoint which the frontend would call using a POST request and including the capability in the request body. This would be converted to an API call to the backing service, which was a capability API. Maybe worth noting that to call /proxy/<service_name> at all required a console capability, stored in an HTTP Only, Secure, path bound cookie as well.
For things like "magic link" to login and such, the capability was contained in the URL fragment (onetime use, so meh), and a /login endpoint would serve javascript that would read the fragment on the browser and turn it into a /proxy/account API call, which would redirect as required on success.