Hey Rob,
Just responded to @d.murali in another thread, but there is a way to pass in credentials for the browser.
Take a look here:
I haven't yet tried to do this with a JWT, but I don't see why it wouldn't work. Certainly would be more secure (due to time limitation) than passing a password.
As far as a proxy is concerned, we just use NGINX for the websocket proxying for the sandbox. This works for websocket bolt connections (used by the JavaScript driver), but doesn't seem to be functional for regular bolt connections from other Drivers. I haven't yet investigated why...
Cheers,
-Ryan