- client sends request to api server to create user with email and password
- api server stores email and salted password
- client sends request to api server to log in with email and password
- api server checks email & password, then creates & signs token if correct and returns to client
- client stores token (e.g. local storage if browser)