One of the options: * Send login/pass to get the token * use and verify the token for the rest of requests
