The JWT will be used to validate all the API calls.
The JWT is signed using the token with the algorithm HS256. When the request is made, BFY will get the token from the token_id and validate the header and body claim set are present and signed using the token.
The JWT goes in the request header under the key Authorization.
For security reasons this JWT should have a very limited valid time, this will reduce the possibility for a JWT to be used in more than one operation. Ideally the JWT should be built before the API call and have a duration no more that 1m.