Thanks @Ashok Kumar 
Working now. Also do not forget in the UI request  header: Accept: 'Application/pdf', 'Content-Type': 'application/pdf'

Excellent posts: https://community.intersystems.com/post/creating-rest-api-jwt-authentication-objectscript, https://community.intersystems.com/post/jwt-authentication-rest, https://docs.intersystems.com/hs20231/csp/docbook/DocBook.UI.Page.cls?KEY=HESECURE_login_app_sso I have still to figure out as my UI does not having a login - coming from clinical/ healthshare viewer navigation - how I can get the first refresh token. Healthshare has some session storages like  hs-navigation:refresh_token. Is it the way to go?

Thanks @Yaron Munz, @Ashok Kumar, @Luis Angel Pérez Ramos, I implemented the bearer token I can get from the rest api call "/login". Luis gave the link https://docs.intersystems.com/iris20241/csp/docbook/Doc.View.cls?KEY=ROA.... Just do not forget to activate jwt in the csp of you rest entry point in management portal.

Sorry I published a lot about my auth problem because my task is:  I am connecting an angular application to healthshare world: mainly clinical viewer. My customer wants to share sessions.

At first, I was using a csp application to give angular the auth level. It seems to work well. But thanks to intersystems support, I understood  clinical is in one csp session and angular is in another one. So now with your advice, I created an angular route guard / angular interceptor to protect access to pages and deliver token in header. (I still have to work on refresh token - I will share some code when clean). 

But I am still not connected to healthshare clinical viewer. Clinical viewer is using jwt tokens, and my angular app is called from the healthshare navigation application configuration. I can not figure out how  I can use the clinical viewer tokens. Do I have something to do in the url in the hs navigation ui. Some interesting ideas on: openid connect, universal login app, heathshare api user registration.