Now that we have an authenticated user, we can generate a token that can be used with the rest of our requests rather than passing our username and password everywhere. This is commonly known as a Bearer token and, conveniently, there is a passport strategy for this.
For our tokens, we will use something called a JSON Web Token (JWT). JWT allows us to encode tokens from JSON objects and then decode them and verify them. The data stored in them is open and simple to read, so passwords shouldn't be stored in them; however, it makes verifying a user very simple. We can also provide these tokens with expiry dates, which helps limit the severity of tokens being exposed.
You can read more about JWT at http://jwt.io/.
We can install JWT using ...