One implementation per auth scheme discovered in the OpenAPI spec
(REQ-1.2.2). refresh_token’s default errors out, since not every
scheme has a refresh flow (only OAuth2 does in practice) — overridden by
the strategies that do.
Fields vary by scheme (e.g. authorization_header for Basic/PAT/OAuth2,
consumer_key/private_key for OAuth1, api_key for API-key auth) —
kept as a flexible string map rather than a per-scheme type, since
exactly one strategy is active per deployment (REQ-1.2.3) and callers
already know which shape to expect from the strategy they’re using.