Gregory-Turtle
Reputation: 1717
What is the correct workflow for JWT?
I am working on an API and I am trying to wrap my head around authorization. I just learned about JSON Web Tokens and I understand the concept but there a few things I have questions about.
- Once I get the initial JWT, do I just include it in the header whenever I make a request from the client to the server?
- Do I also include it when responding to the client from the server?
- Do I have to update the expiration time whenever I send it with a request (in either direction)?
Thank you!
Upvotes: 3
Views: 1721
Answers (1)
eckymad
Reputation: 1080
- If you need to be able to authenticate the request, yes you will need to send the JWT with the request. Calls that do not need authentication can be made without this.
- No, you don't need to include it in every response. Once the browser has the JWT assigned (at login), you can just store it in the browser (localstorage) until it should be adjusted or removed (such as logging out)
- The expiration should be set so that the token remains valid for the period you need it for. Just like with cookie sessions, an expiration is set. The expiration timestamp makes the JWT valid until the expiration passes.
Upvotes: 2
Related Questions
- Where to store JWT in browser? How to protect against CSRF?
- Single sign-on flow using JWT for cross domain authentication
- Sending JWT token in the headers with Postman
- JWT vs cookies for token-based authentication
- JWT (JSON Web Token) automatic prolongation of expiration
- What is the difference between JSON Web Signature (JWS) and JSON Web Token (JWT)?
- Is a Refresh Token really necessary when using JWT token authentication?
- What's the difference between JWTs and a Bearer Token?
- What are the main differences between JWT and OAuth authentication?