Yes. All right.
The only thing I will add is that it is better to send the token in the headers. Moreover, it is desirable, since the authentication mechanism is non-standard, in the X-Authorization. If you decide to store the token in a cookie and pass it, it should preferably be an http-only cookie (although not necessary in the case of JWT) and the server should be protected from CSRF attacks.
Also, since credentials are essentially roaming the network, it is important to use SSL. Fortunately, today there is lets-encrypt to get certificates for free.
Last but not least, to be safe, use refresh tokens. That is, our unique token that walks in each request will have a lifetime limit (say 5 minutes) and we will use a refresh token to update it. When a refresh token is received, a new pair of token + refresh-token is sent to the client.
Thus, the attacker who intercepted the user's token will have a window of only 5 minutes to do something.

I passed by and, it seems, everything is correct, except for:

From the mobile application, I send the login and password to the api server.

Never! Do you hear Carl? NEVER SEND authorization data to the server WITHOUT PRELIMINARY HASHING on the client side with the server key.
1. Data on the client: hash(USER1:PASSWORD:SKEY
:
RANDOM
) user if everything is correct.
And so, yes! Thank you, Sergey Protko - everything is written quite clearly and correctly!