Reputation: 2344
What part of a JWT token is unique to the user and doesn't change?
I have an API made in Rails where people can only make a request to it, if they send along a JWT token - https://jwt.io. I'm using Rack::Attack to rate limit people based on IP. Now I also want to rate limit people based on the request token they send along.
Which of the 3 parts of the JWT token below is unique to that user? Does that part change from time to time? In other words... which part can I identify the user on?
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
Upvotes: 2
Views: 1034
Answers (1)
Reputation: 1012
No part of the JWT will ever be unique for a user 100% of the time.
HEADER:ALGORITHM & TOKEN TYPE - Is not unique to the user
PAYLOAD:DATA - expiration is part of the payload which changes with every token that's issued
VERIFY SIGNATURE - signature verification is based on the payload which changes
The best bet is to decode the token and use part of the data stored in the token that identifies the user and is immutable.
Upvotes: 5
Related Questions
- Explanations on JWT Tokens structure
- Does jwt always uses same secret key for all the users?
- Rails create unique token
- Where is the JWT secret key validated when parsing a jwt token?
- How does JWT Token Works?
- JWT token security Check with Ruby
- For the same user, how is JWT's signature different after the user requests a new token?
- Will the "Sub" claim in an Auth0 JWT always be unique?
- JWT jti uniqueness
- Does Rails secret token have to be unique for each rails app?