Reputation: 339
jsonwebtoken: what is payload
i want to use json web tokens for validating user and i am about to use jwt.sign method, but "payload" term confused me according to wikipedia payload definition (in computing) is:
In computing and telecommunications, the payload is the part of transmitted data that is the actual intended message. Headers and metadata are sent only to enable payload delivery.[1][2]
but according to medium code
const jwt = require('jsonwebtoken');
app.post('/api/authenticate', function(req, res) {
const { email, password } = req.body;
User.findOne({ email }, function(err, user) {
if (err) {
console.error(err);
res.status(500)
.json({
error: 'Internal error please try again'
});
} else if (!user) {
res.status(401)
.json({
error: 'Incorrect email or password'
});
} else {
user.isCorrectPassword(password, function(err, same) {
if (err) {
res.status(500)
.json({
error: 'Internal error please try again'
});
} else if (!same) {
res.status(401)
.json({
error: 'Incorrect email or password'
});
} else {
// Issue token
const payload = { email };
const token = jwt.sign(payload, secret, {
expiresIn: '1h'
});
res.cookie('token', token, { httpOnly: true })
.sendStatus(200);
}
});
}
});
});
payload is user provided email for authentication, that confused me, i will be glad if anyone explain what is payload and what is role of payload in jwt.sign()
Upvotes: 6
Views: 5260
Answers (1)
Reputation: 91605
In JSON Web Tokens, the payload is a set of fields that you want to include in the token being generated; Things your API will need to, say, get the right data for a particular user.
It's just a simple JSON object that is usually used to include user identification details such as a user ID, account ID or an email address. However, it can also contain any arbitrary data you might need such as a user's full name, language preferences, etc.
An example payload might look like the following, assuming these were the fields your API depended on to get details about the user/account who the token belongs to. Note that would be considered a rather large payload; Most payloads only have a single user ID field since that's typically all the endpoint should need to properly identify a user.
{
user_id: 303,
account_id: 909,
email: '[email protected]',
full_name: 'Joe Blow',
default_language: 'en_US'
}
WARNING: The payload is NOT encrypted so make sure you do not store things like passwords, secret keys, credit card numbers, bank account balances, etc. in it. Only identifiers like IDs you'd see in a URL or public keys should ever be stored.
Additionally, the payload contributes to the overall length of the token (more data means longer tokens) so you only want to include the most essential pieces of data. Otherwise, you'll be sending a very large token on every request which consumes bandwidth and, theoretically, takes up more server resources to decode.
Finally, JWT are stateless, meaning they aren't sessions. So don't include any data that changes frequently, such as a game scores, last sign in, etc.
Upvotes: 12
Related Questions
- How do I get a key for jsonwebtoken secret?
- Node/jsonwebtoken- jwt.sign() does not add in payload to my token
- Jsonwebtoken : invalid token
- How can i decode the payload from json web token?
- jsonwebtoken not in headers
- Why jwt token shows payload even i didn't provide secret (Signature ) in Jwt.io?
- How Jsonwebtoken save token in header in node.js express
- `jsonwebtoken` - `decode` not readable in `Nodejs` api
- authentication with jsonwebtokens in node.js
- Express Middleware jsonwebtoken authentication