JWT (JSON Web Token)
JWT tokens are stored on the client side, do not require sessions on the server, and are signed in order to ensure authenticity and protection against counterfeiting.
What JWT contains
| Field in token | Destination |
|---|---|
| sub | User or Service ID |
| exp | Token Expiration Time |
| roles/scopes | User roles and permissions |
| signature | Digitally signed for authentication |
| custom claims | Any additional data: language, hall ID, currency, etc. |
Implementation features
Format: 'header. payload. signature` (в base64)
Signature algorithms: HS256 (symmetric) and RS256 (asymmetric)
Support for refresh tokens and rotation
Working with CORS, mobile, web and server-to-server clients
Ability to store token in cookies, localStorage or headers
Benefits of using JWT
Stateless: no need for a server session
Convenient for mobile, SPA and microservices
Scalability - easily implemented across multiple services
Fast communication between client and API
Flexibility - you can store any data necessary for authorization in the token
Where especially relevant
Mobile and front-end applications
Intraservice Authorization (S2S)
Platforms with more concurrent users
Systems requiring a clear access role model
JWT is a robust and flexible tool for API authorization and security. It provides scalable and secure application operation without depending on the server state.
Contact Us
Fill out the form below and we’ll get back to you soon.