How does authentication token get authenticated in server?

Question

I'm trying to understand token based authentication. I've already created a simple app that demonstrates token authentication using OWIN, and I got it to work. I got it from here: token-based-authentication

However, I'm still confused how exactly does my web api know that the token is valid. My understanding is that the server does not save anything in the memory (in regards to the token); when it gets the token from the client, it will somehow decrypt it, and figure out if it is valid; basically, everything needed to validate the token is in the token itself? Does it use a key to decrypt?..and if so, if I run my web app in two servers, does that mean both servers will have the exact same key?

Answer 1

The token is encrypted (or signed) using a key that only that server has. If it can decrypt it, then logically, it must have originated from that server, therefore it must be a real, valid token.

To use the token across multiple servers, they will need the same key; otherwise they cannot decrypt it or verify its signature.

If signing is used, a public/private key pair can be used, meaning a token generated on another server can be trusted if its public key is known. You would not need the private key to verify the signature.

The exact mechanism for doing this depends on the technologies in use.