msc {
hscale = "2";
user, users_email_client, users_browser, server;
user => users_browser [label="Access web application"];
users_browser => server [label="PUT /challenges with {\"path\": \"GET /hosts/<host-id>/auth\"}"];
server => users_browser [label="JSON with {\"challenge-id\": \"<challenge-id>\"}"];
server => users_email_client [label="Send 6-digit code"];
users_email_client => user [label="Show user 6-digit code"];
user => users_browser [label="Enter 6 digit code in UI"];
users_browser => server [label="GET /hosts/<host-id>/auth with ST-Challenge-ID=<challenge-id> and ST-Challenge-Response=<6-digit code>"];
server => users_browser [label="JSON with {\"token\": \"<JWT token>\", \"type\": \"Bearer\"}"];
users_browser => user [label="Store JWT token as a cookie"];
--- [label="Subsequent JWT requests send token in Authorization: Bearer <JWT-Token>"];
}