This is my interpretation of what should work based on feedback and the API Recommended Practices page.
The JWT is fetched using OAuth token from the older API.
My (not working) process:
My client gets an authorization code from the user’s interaction with https://www.inaturalist.org/oauth/authorize (referal response header). working.
My client uses the authorization code to get an access_token from https://www.inaturalist.org/oauth/token (post json with code from response header in request, json response containing access_token value in response). working.
Presumably the next step is to use the access token to get a JWT from https://www.inaturalist.org/users/api_token. This is where I break. If this is the right track, what is the protocol for doing this? How do I pass the access_token value to the api_token end point? I futzed around and kept getting sent to the sign-in page.
I tried bypassing step 2 and using the working post of step 2 to https://www.inaturalist.org/oauth/token. This gets me a 404, so not the thing.
Where am I going wrong?