We need transparent authentication and automatic re-authentication (when a token expires) for HTTP client libraries that talk to cloud services. The solution must be:
- Explicit — clear where auth is applied and where it is not
- Safe — no accidental token leakage to unrelated services
- Simple to retry — re-authentication on 401 without body rewind hacks