Session cookie is same-origin (credentials: 'include'). OAuth is separate: Connect Blackbaud (/auth/connect.html) for tenant tokens.
credentials: 'include'
/auth/connect.html