Send your token as Authorization: Bearer <jwt>. The portal's "Test Request" feature auto-prefixes Bearer if you paste a raw JWT; your own clients should always include the prefix.
Keep tokens out of source control, logs, and URLs. Treat them like passwords — store them in a secret manager or environment variables, never in commit history.
Rotate tokens periodically and any time you suspect leakage. Build the rotation path into your integration before you need it; tokens that "never expire" tend to become tokens nobody knows how to replace.