Great introduction! However I'd like to point out one thing - the standard practice is to send the JWT in the Authorization header as a Bearer token, that is, the value of this header should be Bearer <jwt_here>. Then we can modify the /verify endpoint to check the Authorization header and extract the token by splitting it by space and getting the second value.