Just to reiterate, once you find all the credentials (after the jwt token part), you need to check for websites for 401s!