config/packages/api_platform.yaml

api_platform:
    title: 'BilMo'
    description: 'Main API for BilMo app.'
    version: 1.0.0
    formats:
      jsonld: ['application/ld+json']
    docs_formats:
      jsonld: ['application/ld+json']
      jsonopenapi: ['application/vnd.openapi+json']
      html: ['text/html']
    swagger:
        api_keys:
            JWT:
                name: Authorization
                type: header

security.yaml

security:
    enable_authenticator_manager: true
 
    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
 
    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
    providers:
        # used to reload user from session & other features (e.g. switch_user)
        app_user_provider:
            entity:
                class: App\Entity\User
                property: username

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        signup:
            pattern: ^/api/users
            stateless: true
            anonymous: true
            methods: [POST]
        authentication:
            pattern: ^/api/authentication_token
            stateless: true
            anonymous: true
            json_login:
              check_path: /api/authentication_token
              username_path: username
              success_handler: lexik_jwt_authentication.handler.authentication_success
              failure_handler: lexik_jwt_authentication.handler.authentication_failure
        api:
          pattern: ^/api
          stateless: true
          anonymous: true
          guard:
            authenticators:
              - lexik_jwt_authentication.jwt_token_authenticator

    access_control:
      - { path: ^/api/authentication_token, roles: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/api/users, roles: IS_AUTHENTICATED_ANONYMOUSLY, methods: [GET] }

• app_user_provider - used to reload user from session & other features (e.g. switch_user)

config/packages/lexik_jwt_authentication.yaml

lexik_jwt_authentication:
    secret_key: '%env(resolve:JWT_SECRET_KEY)%'
    public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
    pass_phrase: '%env(JWT_PASSPHRASE)%'
    token_ttl: 3600

    api_platform:
        check_path: /login_check
        username_path: email
        password_path: password

config/routes.yaml

auth:
    path: /login_check
    methods: ['POST']