Authentication/ Authorization with Websockets


I am looking for best practices in implementation schemes for authenticating websocket communication. At the moment, this is the workflow I am considering:

  1. Client (Web UI) gets a JWT from invoking a REST API endpoint - /login.
  2. Client initiates a websocket session - subscribing to a set of events, passing the JWT (somehow).
  3. Upon authenticating JWT, server begins sending events based on the socket connection.

What are the best practices for all passing JWT while initiating a websocket session? And how can I parse it at the websocket server end?

Appreciate all guidance in this matter.