One important point is that we do not follow the OAuth 2.0 protocol since for simple email password login without SSO, we do not need to provide OAuth.

So the login part, is a simple API call with the email / password. On success, a session is created, and the flow for that is provided here (in a diagram): https://supertokens.io/docs/emailpassword/common-customizati...