Refresh token: JWT moved into header

For the client to receive a refresh token from the server it must send a `GET` request it's older token to `/api/refresh` and the JWT token must be included in the header

From postman an example:

![header](https://i.imgur.com/zBZoaNF.png)

For consistency all JWT tokens should be transmitted through the HTTP headers.  That means the client's post method should be updated.

