Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

API authentication using JSON web tokens

Wednesday, November 29th, 2017 by Servage

json-jwt-tokenThere are many ways to authenticate users in APIs: username and password combinations, OAuth 2 and API keys to name a few. Today we will be having a look at a rather new implementation called JSON Web Token, JWT for short. There are some noteworthy advantages in JWTs that we will be covering as well.

What is a JWT?

A JWT is a way to send and receive data between two parties in a secure way. The data a JWT contains is mostly up to you, although some metadata must be present. JWTs can be used as session tokens to authenticate against an API.

As the name implies, a JWT is JSON and therefore should look a lot like a JavaScript object. However, a JWT is Base64 encoded and looks like this instead: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ.

What is a JWT Made of?

There are two dots in the string that separate the three important pieces of a JWT. The first part is a header that contains a hashing algorithm (such as “SHA256”) and a type (always “JWT”). If you were to decode the header, it would look like this: {“alg”: “HS256″, “typ”: “JWT”}.

The second part is perhaps the most important part. It’s the payload of the token, which is where you specify what data the token contains. It can for instance contain a user ID of an authenticated user. You can use the ID to identify which user is sending a request to your API. The payload can look like this: {“iss”: “”,”user_id”: “1”}.

When using a cookie or local storage to store a session token, it’s not a good idea to store the user ID there and send it to the API as a way to authenticate. A malicious user could easily change the user ID from 1 to 2 to authenticate as a different user. However, in the case of JWTs, this is not possible thanks to the last part of the token called the signature.

The purpose of the signature is to verify that the token has not been modified since it was generated. This is achieved using a secret text-based token or public-key cryptography. The server that generates a JWT signs the token with the secret token or public key and sends the token to an API client. When the client sends a request, it sends the same token back to the API. At this point the API verifies that the token has not been modified using its secret token or private key.

Why Use JWTs?

We already covered one major benefit of JWTs: the ability to store data in a token that we can trust. With a proper signature verification system in place, malicious users cannot send forged tokens to an API pretending to be someone they aren’t.

A second benefit is that the token does not have to be stored in a database like a traditional session token. The token itself contains information about the expiration date (provided that you set one) and everything else an API needs to decode the Base64 encoded information back to a readable format. Only the client has to store the JWT, which can be done for instance in local storage.

API authentication using JSON web tokens, 3.0 out of 5 based on 2 ratings
Categories: Tips & Tricks

Keywords: ,

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No comments yet (leave a comment)

You are welcome to initiate a conversation about this blog entry.

Leave a comment

You must be logged in to post a comment.