The end user (REST client) is authenticated using the REST Auth API (Loginapp). 

After successful authentication, IAM issues a JWT to the REST client.

The JWT can be used on 3rd party systems that are not connected to IAM

JWTs in requests sent to Airlock Gateway (WAF) are authenticated by inspecting the JWT. This involves IAM's one-shot interface.

The example uses username/password authentication (no second factor).