Secure the browser app and Custom GPT access behind one authenticated broker.

Browser sessions stay in secure HTTP-only cookies. Custom GPT Actions can use per-user bearer tokens generated after login, while the server keeps the MCP integration behind protected routes.