for authentication_controller, skip_before_action :authenticate_token! should be changed to skip_before_action :authenticate_user! because ApiController has changed.
the second half of the video is really hard to understand for me.
With a JWT, server will always think you are logged out. Why is that? Just because it has to be manually included in the header by ourselves? I'm confused.
"So the server would always think that you're logged out, it will never let you do anything malicious via a bad URL or something like that. "