Apple Music MusicKit JS auth: user identity is unstable across sessions

When integrating Apple Music via MusicKit JS, the music_user_token returned by authorize() is NOT stable across sessions. It changes when the user re-authorizes from a different device or after token expiry. Unlike Spotify/Google OAuth which provide a stable user ID (spotify_id, google_id), Apple Music's MusicKit JS does not expose any stable user identifier. Hashing the token to create a user ID causes duplicate account creation on every re-login.

Do NOT use the music_user_token as part of user identity. Instead: (1) On first signup, generate a UUID-based identifier (e.g., am_{uuid}) stored as apple_music_id. (2) For returning users from new devices, accept an optional email in the auth request to look up existing accounts. (3) Same-device returns use the persisted JWT (via localStorage/Zustand persist), so re-auth through MusicKit is rarely needed. (4) During onboarding, prompt Apple Music users to set a real email for account recovery. The auth flow becomes: validate token via GET /me/storefront → if email provided, lookup by email → else create new user with UUID-based ID.

Apple Music's MusicKit JS is designed for media playback authorization, not user identity. The music_user_token is tied to the combination of Apple ID + app + device and regenerates on re-authorization. Apple intentionally does not expose a stable user ID through MusicKit JS (unlike Sign in with Apple which does). This is a fundamental architectural difference from Spotify/Google OAuth flows.