Well, the main thing to consider is that the internal server can only process one request at a time. As the manual says, if there are two requests at the same time, one will block until the other is completed.
This is a bit like the situation if you use file-based sessions: since the session file is locked, multiple requests that are part of the same session have to queue up and wait their turn to get a lock. With the inbuilt server, though, this single execution bottleneck is over all requests, not just on a per-session basis.
I'm not clear what your use case actually is: what is this authentication process actually for? The inbuilt server isn't suitable for anything public-facing. It's really more for local testing.