access token kept as global state

This seems strange / wrong.

Maybe `authenticated()` should accept a function to receive the access token retrieved? This function can decide what to do with the access token.

Note that this may make dealing with expired tokens harder.