u/SnooBeans5461

My file storage API uses the classic 2 JWTs approach to authentication. The initial login requires a username and a password. Each user also has a master key (MK) used for file encryption. MK is stored encrypted with the user's password (through KDF). The MK never leaves the server, but requests need the unencrypted MK to access files while only having access and refresh tokens as the starting point, and no original password.
How do you keep access to MK in subsequent requests, if only JWTs are available?
Maybe the JWT approach is overall bad for this type of API and I should try something else?