auerbachb
Reputation: 947
Should I return user data in an authentication endpoint using JWT?
I implement an auth endpoint which takes an email and password and returns a JWT token. Inside the JWT there is a payload containing the user ID. Does it matter from a REST/JWT standards perspective which of these approaches I take?
- return the token and let the client request the
/users/user_idresource on a callback with the decoded user_id and the token - return the entire user object with the token from the
/authendpoint for the convenience of the client.
(my question is implementation/library agnostic and about the api-design pattern)
Upvotes: 6
Views: 4217
Answers (1)
auerbachb
Reputation: 947
To summarize the discussion there; if the API is internally used then it matters less, if you are providing an external API with multiple consumers it matters more. There is no discussion of any security risks with either approach.
Upvotes: 2
Related Questions
- REST API responses based on authentication, best practices?
- How should I return JWT token to user after login?
- Should Token Auth service return null or 401?
- Passing user ID in body or in token
- API desing – Is it ok to fetch user's data from auth token?
- Should I use data contained in an authentication JWT on the client-side?
- What is the best practice to return login credentials in a rest API response?
- Best Practice handling user data with JWT
- Should user-specific properties be returned from an authenticated REST API endpoint?
- Should user object be stored in JSON Web Token?