- client sends request to api server to create user with email and password
- api server stores email and salted password
- client sends request to api server to log in with email and password
- api server checks email & password, then creates & signs token if correct and returns to client
- client stores token (e.g. local storage if browser)
- client makes requests for resources, and includes token in every request
- api server validates token, and if successful, returns resource
- if token is invalid, api server sends back error response
- on logout, client deletes token from storage so it can no longer be used