Use better JWT standards

Right now, the apps gives a single long lived jwt access token for the app. It's the client's responsibility to pro actively refresh its token, otherwise it needs to log in again.

We could use access tokens and refresh tokens instead where the access token is short lived and the refresh token is long lived. For this approach to be secure, the refresh token needs to stored securely. When building a traditional server + web client, we can use HTTP only cookies for that as those are securely stored by the browser. However since how client is another go app, I'm not sure how to handle this instead.

We could use a library like this (https://github.com/99designs/keyring) to store the access token in keychain, etc.

Anyway, might need to research, see if this is even worth it.

cf: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/