JWTs are not themselves base64url encoded

[bc-pi]

A signed JWT is always a a series of three base64url-encoded values separated by a period ('.') character. It is not itself base64url-encoded. So saying things like <base64-URL-encoded registration JWT> and Sec-Session-Response: <base64-URL-encoded JWT> are not really accurate and/or potentially misleading. In those contexts it could just say something like "the JWT" because JWT formatting and encoding is defined and unambiguous.

There's also an "application/jwt" media type that would be appropriate as the Content-Type in the example POST request to /securesession/startsession (rather than application/json which it has now).

Copies of the two examples mentioned herein are included below for posterity/convenience. (as I look at them, however, I can't help but wonder why the JWT is sent in the body with "startsession" and a header with "refresh"?)

POST /securesession/startsession HTTP/1.1
Host: auth.example.com
Accept: application/json
Content-Type: application/json
Content-Length: nn
Cookie: whatever_cookies_apply_to_this_request=value;

<base64-URL-encoded registration JWT>

POST /securesession/refresh HTTP/1.1
Sec-Session-Response: <base64-URL-encoded JWT>