User must be able to:

• create account by email & password.
• get access token using email & password.
• refresh access token using expired access token.
• access protected API endpoints using valid access token.
• logout by adding access token to blacklist