foo.py

	@cherrypy.expose
	def login(self, username, password):
		"""
		Log in the user and set a JWT web token in the cookie.
		"""
		res = self._login(username, password)
		if not res:
			raise cherrypy.HTTPError('401 Unauthorized')
		self.install_token(models.Member.make_token(res))

	@staticmethod
	def install_token(token):
		cherrypy.response.cookie['token'] = token
		cherrypy.response.cookie['token']['path'] = '/'

	@cherrypy.expose
	def validate_token(self):
		token = cherrypy.request.cookie['token'].value
		try:
			return jwt.decode(token, os.environ['TOKEN_KEY'])
		except jwt.ExpiredSignatureError:
			raise cherrypy.HTTPError('400 Token Invalid')

May you please explain me a bit about models module?
On line #9.

models is code specific to the application's model of the world, the "models" of an mvc pattern. The code for make_token takes fields from the res and rolls them into a JWT like so:

	@classmethod
	def make_token(cls, member_fields):
		doc = dict(
			email=member_fields['EMAIL'],
			id=member_fields['ID'],
			exp=utc.now() + cls.session_limit,
		)
		token = jwt.encode(doc, os.environ['TOKEN_KEY'])

		return token.decode('ascii')