Objective-C

Connection protection. How to use JWT correctly? And do you need ssl?

Good afternoon! Already asked a similar question, I thought I found a solution. But in the process of implementation, due to a small amount of experience, a number of questions arose.
I am making an app for ios. It has user authorization, chat, profile settings. naturally chat and settings should be protected.
Decided to use JWT(json web tokens). Judging by what you read, the work should proceed according to the following algorithm:
1) We send the password and login to the server. If they are correct, we form a token.
2) we give the token back to the application.
3) in all the following requests for a helmet this same token.
The following questions follow from all this:
1) Login and password go to the server in the clear. It should not be. What do we have to do ? use ssl? how do they solve this problem.
2) It turns out that if someone manages to intercept the token, then he will be able to make any requests to the server on behalf of a specific user.
Maybe I misunderstood something in JWT? Or should I just use an ssl connection?
Can anyone suggest where to read about it?
If you use ssl where you can find information on how to get a certificate, how to use it in conjunction with jwt and socket.io (chat works for me on sockets)