How does Discord keep me logged in without cookies, logins, or site data? [closed]

Under my browser settings (Firefox 83.0 on Fedora 31), I have enabled

• When closed, Firefox should automatically clear all…
  • Cookies
  • Cache
  • Active Logins
  • Offline Website Data

However, even after doing a full shutdown of the browser (via e.g. Ctrl+Q), Discord's web app nevertheless recognizes me without requiring re-authentication.

What sort of black magic is this? I would expect that a real company with a CLO who does risk management wouldn't sign off on using mere heuristic fingerprinting as positive authentication enough to read and send DMs, so… what is it, then?

A look at Developer Tools - Network when visiting discord.com/app immediately after a restart shows that there are, in fact, no cookies erroneously being preserved between sessions…however, there are a few suspicious things:

1. Those status-less initial outbound requests

2. The first outbound transmission within that websocket included a so-called token, that looked vaguely like a JWT

{"op": 2,"d": {"token": redacted_looked_vaguely_like_a_jwt,"capabilities": 61,"properties": {"os": "Linux","browser": "Firefox","device": "","browser_user_agent": "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0","browser_version": "83.0","os_version": "","referrer": "","referring_domain": "","referrer_current": "","referring_domain_current": "","release_channel": "stable","client_build_number": 75056,"client_event_source": null    },"presence": {"status": "online","since": 0,"activities": [        {"name": "Custom Status","type": 4,"state": "{my status}","emoji": {"id": null,"name": "🃏","animated": false          }        }      ],"afk": false    },"compress": false,"client_state": {"guild_hashes": {},"highest_last_message_id": "0","read_state_version": 0,"user_guild_settings_version": -1    }  }}

The "token" field comprised three period-delimited sequences of characters in the set [A-Za-z0-9\-_], without any trailing = signs. After padding appropriately, the first field decoded to a valid ASCII sequence comprising only digits; the other 2 decoded to binary garbage I could see no particular structure in.

How is this being done? What technique is Discord using to bypass the browser's attempt to clear cookies, active logins, and (supposedly) offline website data? Where else might it be squirreling its token away?