When bowlServerOrigin (or apiBaseUrl) is set, Discord login uses the bowl server’s
OAuth flow. In Discord’s app settings, set the redirect URI to the server’s /auth/discord/callback only. Otherwise set a Client ID here and use auth-callback.html as the redirect on this origin.
OAuth returns a code query param — exchange it for tokens on your server; never put your
client secret in front-end JavaScript.