Using Ash/Phoenix with a bespoke auth backend

How do you recommend I connect an Ash/Phoenix app to a bespoke auth backend? The backend provides an endpoint that takes an email and password and returns a session key, and an endpoint that takes the session key and returns roles. The Ash/Phoenix app will provide an email/password login screen and store the session key for use in API calls to a resource server. Is ash_authentication a good fit for this use case? Or do I wrap the backend in an Ash resource and write a plug? For context, I’m new to Ash, Phoenix, Elixir, and web apps, in general, so there are gaps in my understanding.