A quick one here on security.
The only way to ensure data privacy is to use https. Do not ever use http if you have security in mind.
It is absolutely true that sending credentials in the URL of a GET request should definitely be banned (because of leakage through browser history).
However, whether you use GET or POST, whether you pass the credentials via headers or body, or whether you use cookies or JWTs - ultimately does not make a difference. You are sending authentication data in clear text over the wire.
Only SSL encryption can help protect your data.