jwt token in url

For websockets and file exports, we put the real jwt token in the url. Instead, we should request a very short lived and maybe useable only once token from the backend and put this one in the url. It would improve security