Himmig: Yea as much as I can - Login details are removed immediately after the setup and I use encryption for the short time the information is needed.
I'd rather not have it at all but the API doesn't really give us a different option.
Just had a look at this page https://github.com/madleech/FlickElectricApi/blob/master/src/flick-api.coffee
Since you're using madleech's code, can you tell me where this came from?
I'm not familiar with JWT but are these values invariant? And do they relate to the authentication of the mobile client vs authentication of the user?