This doesn’t seem correct.
You should be using a 200 HTTP code and the token in plain text.
Not a JSON.success
JSON.success