Hey Derek, I hope this is helpful, but I use JWTs as well and this is my process:
All requests are proxied by Nginx, so Sync Gateway exists at /sync and my api is at /api/v1/
To login, I send a request to /api/v1/account/login with username/password (for example)
- Internally, the user/pass are authenticated, and if valid, a JWT is created to be used for other API calls (logout, some info not included in SG)
- If the user/pass is valid, I do a request to SG over the Admin port (4985) to get a sync gateway cookie (if that returns a certain error, I create a new user and then re-request the cookie)
- My app server waits on the cookie, and when received, it completes the login process for the user by attaching the cookie to the response, as well as (in my case) embeddeding the JWT in the response body.
I setup my Couchbase Mobile session to use the cookie in the push/pull replication headers. Otherwise, I have a request interceptor which includes my JWT for my REST API calls.
So far hasn’t run into any problems. If the cookie expires, I re-login/re-request a cookie (in my case, there is no difference to these two functionality-wise)