API

How to sign a token in RestAPI?

Hello! There was quite a bit of experience in matters related to authentication, authorization, registration, signatures and tokens. There is a lot of information about this, but it already makes my head spin. So much so that it is unrealistically very confused. Ahem, why is this:
Is the scheme correct:
1) The user sends a GET request, for example, to /api/user/auth with his login and password
3) /api/user/auth checks login: pass and returns data like: access_token , refresh_token, sign
4) The user remembers the data and is going to work with the /api/news method, sending access_token and sign in the header
50) The server checks the access_token (for a match and whether it has expired). Verifies the signature. If all is well - success.
So, please share your experience of how to collect a signature? What data should be put there to determine that right now the right user is working with the API? In the first paragraph, add sending secret, which will be set by the user? Or is there no need for a signature at all?
Some details:
There is an application, there is a web version. Users - only admins, moderators, well, read-only.
The application only receives information (read only). That is, for example, it calls the /api/news method and the like.
With one caveat: to connect push notifications, the application needs to poison the data. Simply put, there is only one method to which the application sends data.
In the web version, it is possible to create a user (administrator, moderator, read-only), log in under him and manage content.
So, dear users of the toaster, help me deal with the porridge in my head. You are welcome.