A client may receive a login token via some external service, such as email or SMS. Note that a login token is separate from an access token, the latter providing general authentication to various API endpoints.