TODO: finish documenting this.
For now, see this thread for some background. The basic summary is that you create a claim that a user has access to something, and then your blobserver's public frontend authenticates (if applicable) a remote user and gives them access as permitted by your claim.