Prashant G
Prashant G

Reputation: 4910

API authentication using json web tokens jwt-simple

I'm using jwt-simple to create an api key. Basically what it does is encode(secret+data) and sends it attaching with the request. I'm aware that the server will decode(encode(secret+data)) and verify that it is a valid request. Sample code found in jwt-simple documentation:

var jwt = require('jwt-simple');
var payload = { foo: 'bar' };
var secret = 'xxx';

// encode 
var token = jwt.encode(payload, secret);

// decode 
var decoded = jwt.decode(token, secret);
console.log(decoded); //=> { foo: 'bar' } 

My questions are:

Thanks in advance.

Upvotes: 1

Views: 4071

Answers (1)

June
June

Reputation: 413

See this post regarding your confusion with the secret: Can anybody decode a JSON Web Token (JWT) without a secret key?

As for your questions:

  1. Yes, everybody who somehow manages to get a valid token can access your API. So if someone knows the secret key you use for signing your tokens and can create a valid payload, he can use the API. But the usual flow would be: a user logs in, you check the password, if it's the right password you give him a valid token. If someone grabs that token from that users computer there is not much you can do. But you can make tokens expire so if someone steals one it is not valid for very long.

  2. You can sign your tokens with the same application wide secret but you would use some unique user specific payload so that every user gets a different token.

  3. In a simple solution you would just send the token with every call you make to the API (besides login and sign-up). There are other solutions with establishing sessions but I think they are a bit more difficult to implement.

Upvotes: 1

Related Questions