Reputation: 7395
Is there a standard HTTP header servers use to exchange JWTs with clients?
I'm in the process of writing a client and server for an application and I'm wondering if there are any standard/established HTTP headers that servers can use to:
- Communicate new/updated JWT data
- Receive the JWT from the client
I'm having a difficult time getting results on this because the term "header" is ambiguous with JWT in an HTTP context.
Upvotes: 1
Views: 119
Answers (1)
Reputation: 22752
JWT is really just a format for passing signed and/or encrypted data about. Standard headers would most likely be part of a protocol specification instead.
Examples where JWT is used as part of a specification include Mozilla Persona/BrowserID and OpenID Connect, but in these the tokens are generally transferred as part of Ajax requests or occasionally in a URL fragment (for the OpenID Connect IdToken).
For something like OAuth 2.0 Bearer authentication JWT could be a useful option (and is used in some implementations), but the spec doesn't actually say what the token should be. It could equally well be an opaque value linked to some back-end storage.
So I don't believe there are any standard headers specifically designed to hold JWTs - it would depend on the context in which they were being used.
Upvotes: 2
Related Questions
- HTTP Request/Response signing standards
- Propagate HTTP header (JWT Token) over services using spring rest template
- How does server return JWT token to the client?
- Angular HttpHeaderS JWT
- Best HTTP Authorization header type for JWT
- How do I add a jsonwebtoken (JWT) to the request header?
- HTTP header to allow client to choose JWT algorithm
- Central JWT authentication / authorization service
- Sending Authorization Header with JWT in HTTP-Request
- Set regular HTTP request headers from javascript