This application exposes one protected API endpoint:

    GET /api/private

    and receives the token in an authorization header:

    Authorization: Bearer token