Use cookies. When user logs in, send cookie with proper domain with name lets say "auth-cookie". It will contain your jwt token. These cookies will be automatically sent back to you everytime user sends a request. Set httpOnly field to true so that hijacker cannot read the token using javascript. On logout, set the "auth-cookie" cookie to blank.