Yeah it is probably the way too do it; just it transforms it as part of that send so it's a loop it in same router job or pass it on to another router to go to the operation so was wondering if there was another way without this but doubt there is 

Thanks although not going into technical too much I think this was the info I wanted. And there is a useful link for jwt down this route. https://community.intersystems.com/post/creating-rest-api-jwt-authentica... 

I don't really understand the best practices on building the IRIS REST apps and passing authentication through. 

I.e. do people just tend to authenticate the CSP page it goes to and that is fine .

Or after the authentication method do they tend to use that same user logged in to make the API call? 

i.e. (although should be in .env) do rest apps tend to look for if iris is authenticated or should it just use a set up user and pass to make the API call?