We ended up caching the credentials and the JWT refresh token from Clerk, and then manually requesting the access token using the Clerk's sparsely documented frontend API. Except that to do this with Clerk, we needed to fake the cache API and then pluck the token out of the undocumented "__clerk_client_jwt" key.

This is supported by Better Auth out-of-the box. It doesn't hide these kinds of stuff from you.