I'm dealing with an API that authenticates with JWT tokens. The standard mechanism is where you have a header "Authorization: bearer <JWT>". I came to the conclusion that the best way to implement that is to have a Connection & Credential alias, with a credential "API-Key" equal to the JWT token, and use "REST Step > Credential Value" which is kept encrypted. The problem now is (because the JWT expires after a few hours) how do you refresh the token. The API provides a refresh token that can be used for that (or alternatively, a user name and password authentication) – but what is the best way to protect the JWT returned by the API and copy it into the credential? Is there a best practice for that?
