JSON Web Token Exchange
Qloud sets a JWT as a cookie in the browser (see Cookies). This cookie is then processed by the proxy and
replaced with an internal JWT. Externally we use RS256
to sign the JWT with a private key only known by Qloud servers,
for the communication with the backend we use HS256
to sign the JWT with the shared secret shown in the Qloud Console.
The external JWT is long-lived (2 weeks), the internal JWT is short-lived (1 minute).