Newest master of JM contains changes to the authentication mechanism.
See JoinMarket-Org/joinmarket-clientserver#1480 for more information.

From JSON-RPC-API-using-jmwalletd.md#rules-about-making-requests:

On initially creating, unlocking or recovering a wallet, a new access and refresh token will be sent in response, the former is valid for only 30 minutes and must be used for any authenticated call, the former is valid for 4 hours and can be used to request a new access token, ideally before access token expiration to avoid unauthorized response from authenticated endpoint and in any case, before refresh token expiration.

The OpenAPI spec can be found in wallet-rpc.yaml.

At the time of writing, this functionality has not been released and will probably land in JM v0.9.11.