So a seperate model for auth perhaps?

This is perhaps slightly off-topic, but where I work we add security-related things to either the header or the body manually via an interceptor (Retrofit)

Yeah, I am looking more at the server-side than client-side though 🙂