it doesn't do anything when you login...

[calvinmetcalf]

probably set a token on the cookie, and maybe a session

[knownasilya]

It sends a token back to the user, which is to be used via Authorization: Bearer [token] on the user's side. It's the clients job to store the token on it's end, either cookie or session/local storage