diff --git a/demo/postman/Payload.postman_collection_with_auth.json b/demo/postman/Payload.postman_collection_with_auth.json
index 52646fa15d..9844504ad7 100644
--- a/demo/postman/Payload.postman_collection_with_auth.json
+++ b/demo/postman/Payload.postman_collection_with_auth.json
@@ -1,7 +1,7 @@
 {
 	"info": {
-		"_postman_id": "b25a1d07-a6f9-4fda-a1ee-36a630f1b8db",
 		"name": "Payload",
+		"_postman_id": "027b80cb-1244-c4b7-01f4-2a0ccf32e0a3",
 		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
 	},
 	"item": [
@@ -126,6 +126,19 @@
 		},
 		{
 			"name": "Login",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"id": "78a4a2f8-716e-4b01-802a-be1d9c915829",
+						"type": "text/javascript",
+						"exec": [
+							"var jsonData = JSON.parse(responseBody);",
+							"postman.setGlobalVariable(\"token\", jsonData.token);"
+						]
+					}
+				}
+			],
 			"request": {
 				"method": "POST",
 				"header": [
@@ -136,7 +149,7 @@
 				],
 				"body": {
 					"mode": "raw",
-					"raw": "{\n\t\"email\": \"james@jamestest.com\",\n\t\"password\": \"test123\"\n}"
+					"raw": "{\n\t\"email\": \"test@test.com\",\n\t\"password\": \"test123\"\n}"
 				},
 				"url": {
 					"raw": "http://localhost:3000/login",
@@ -160,12 +173,11 @@
 				"header": [
 					{
 						"key": "Content-Type",
-						"value": "application/json",
-						"disabled": true
+						"value": "application/json"
 					},
 					{
 						"key": "Authorization",
-						"value": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImphbWVzQGphbWVzdGVzdC5jb20iLCJpYXQiOjE1NDQ0OTY2MDIsImV4cCI6MTU0NDQ5NjcyMn0.c7xtWTxpkGywC8ZwvtPJzVDUE547CWhMqhRMAi66ONQ"
+						"value": "JWT {{token}}"
 					}
 				],
 				"body": {
diff --git a/src/auth/index.js b/src/auth/index.js
index 891e7a91f9..a244a2390e 100644
--- a/src/auth/index.js
+++ b/src/auth/index.js
@@ -10,21 +10,27 @@ export default User => ({
    * @returns {*}
    */
   login: (req, res) => {
-    let { email, password } = req.body;
-    //This lookup would normally be done using a database
-    if (email === 'james@jamestest.com') {
-      if (password === 'test123') { //the password compare would normally be done using bcrypt.
+    let { email, password} = req.body;
+    console.log(email);
+    console.log(password);
+
+    User.findByUsername(email, (err, user) => {
+      if (err || !user) return res.status(401).json({ message: 'Auth Failed' });
+
+      user.authenticate(password, (authErr, model, passwordError) => {
+        if (authErr || passwordError) return res.status(401).json({ message: 'Auth Failed' });
+
+        console.log('Correct password. Generating token.');
         let opts = {};
-        opts.expiresIn = 120;  //token expires in 2min
-        const secret = 'SECRET_KEY'; //normally stored in process.env.secret
+        opts.expiresIn = process.env.tokenExpiration || 1200;  // 20min default expiration
+        const secret = process.env.secret || 'SECRET_KEY';
         const token = jwt.sign({ email }, secret, opts);
         return res.status(200).json({
           message: 'Auth Passed',
           token
-        })
-      }
-    }
-    return res.status(401).json({ message: 'Auth Failed' });
+        });
+      })
+    });
   },
 
   /**
diff --git a/src/auth/jwt.js b/src/auth/jwt.js
index b8f38a3453..ec36bc86bc 100644
--- a/src/auth/jwt.js
+++ b/src/auth/jwt.js
@@ -3,17 +3,11 @@ import passportJwt from 'passport-jwt';
 const JwtStrategy = passportJwt.Strategy;
 const ExtractJwt = passportJwt.ExtractJwt;
 
-const opts = {}
-opts.jwtFromRequest = ExtractJwt.fromAuthHeaderAsBearerToken();
-opts.secretOrKey = 'SECRET_KEY'; //normally store this in process.env.secret
+const opts = {};
+opts.jwtFromRequest = ExtractJwt.fromAuthHeaderWithScheme('JWT');
+opts.secretOrKey = process.env.secret || 'SECRET_KEY';
 
-export default User => new JwtStrategy(opts, (jwtPayload, done) => {
-
-  // Access to User model
-  console.log(User);
-
-  if (jwtPayload.email === 'james@jamestest.com') {
-      return done(null, true)
-  }
-  return done(null, false)
+export default () => new JwtStrategy(opts, (jwtPayload, done) => {
+  console.log(`Token authenticated for user: ${jwtPayload.email}`);
+  return done(null, true);
 })
diff --git a/src/index.js b/src/index.js
index df4678b292..63525472a8 100644
--- a/src/index.js
+++ b/src/index.js
@@ -14,12 +14,12 @@ module.exports = {
       }
     });
 
-    // configure passport for Auth
+    // Configure passport for Auth
     options.app.use(passport.initialize());
     options.app.use(passport.session());
 
     passport.use(options.user.createStrategy());
-    passport.use(jwtStrategy(options.user));
+    passport.use(jwtStrategy());
     passport.serializeUser(options.user.serializeUser());
     passport.deserializeUser(options.user.deserializeUser());
 
diff --git a/src/user/index.js b/src/user/index.js
index 426d5c06a8..0cbb0ba5c6 100644
--- a/src/user/index.js
+++ b/src/user/index.js
@@ -17,7 +17,7 @@ module.exports = User => ({
         return next(error);
       }
       passport.authenticate('local')(req, res, () => {
-        res.json({ user });
+        res.json({ email: user.email, role: user.role, createdAt: user.createdAt });
       });
     });
   }