If there is any functionality in Blue Prism to handle re-authenticating periodically automatically, I'm not aware of it. There are two ways that I have handled this. Which one is better for you I can't say. But I suspect the 2nd option would be best due to having such a low expiry time.

1 - The way we handle this is to have a Token Refresher process that runs every x minutes. This process simply calls any Authenticate actions we have across any objects (whether that's a VBO or Web API). I usually like to make Authenticate actions in a VBO so that I can add extra logic as needed, such as performing whatever extra logic I want in terms of storing the returned JWT token in a credential that is of type Bearer Token like you said. And just as you described, your other Web API can use that bearer token credential as its common authentication.

2 - Another way I like to do when the timing of authentication isn't predictable or if it needs to constantly reauthenticate and it is very often: Instead of having a Token Refresher process that runs every x minutes, instead you implement logic either in each automation/process to authenticate first OR put a subpage reference or action call as the first step in every action. This just depends on how much control you have over different pieces. In some way though, the goal here would be for a check to be performed upon each API call to determine whether your token is still valid or not. If it is no longer valid (expired), then it re-authenticates and stores the token again back into the credential. I know that JWT tokens technically have their expiry information inside the token itself, but what I do instead is just store the expected expiry datetime in a credential (I commonly used a Credential Property to hold the datetime text and I cast it to DateTime when reading it back in). Doing it this way, as long as your logic is good, then you can pretty much just forget about it, and the logic will just handle re-authenticating whenever it is needed.

Some things to consider. Some APIs will actually invalidate previously-generated tokens for the same user ID when authenticate happens to generate a new token. Some, however, will actually allow you to generate hundreds of different valid tokens. If your API is one of these (example is CyberArk) that allows multiple valid tokens at the same time for the same user, then you could just have different credentials for each automation such that each automation has its own JWT token at any given time and in that case you can just have the automation authenticate when it starts and then renew its own token whenever is needed. I must say 20 minutes is a very aggressive timeframe for token expiry. In the 20 or 30 different APIs I've worked with, I've never seen such a low expiry time. I would personally complain about that in case it is simply due to an over-ambitious developer/owner of that API.