The txn_id in a token authentication request is meant to be tied permanently to the (single-use) token by the server, *after* the first request from the client that includes the txn_id. It functions as a nonce that other clients would not be able to guess, essentially locking the token to a specific client. Ref https://github.com/matrix-org/matrix-doc/pull/69
This returns an HTML and JavaScript page which can perform the entire login process. The page will attempt to call the JavaScript function window.onLogin when login has been successfully completed.
FIXME: Review where the homeserver *address* should be returned and where the *name* should be returned (which can differ, ref. https://brendan.abolivier.bzh/enter-the-matrix/) -- in particular the `homeserver` property in login/register routes