Authorization token Bearer through javascript security

Question

I'm a bit confused about authentication throuhg token. If I need to call web api authenticated from a web application I need to add the token to all call to the apis: but in this case the token can be easily copied and used to makes authenticated calls. For example: if I have a .netcore apis backend and web application that use the apis to render informations, the token must be added in javascript calls... or not?

Where I'm wrong? Thank you!

I'm sorry if you find the question very trivial or perhaps stupid but I really can't imagine how a call to a set of api made on the client side can be protected against a token theft. Can you help me clarify? Thanks

Answer 1

That's why you should make different tokens with different scopes, so each token can do only the thing i'ts suppoused to do. Maybe a token with a scope for viewing data for normal users so they can make whatever call to the api with that token, but they will be only abled to view whatever you allow them, and other scopes for maybe editing so only admins are abled to make calls to the api to edit things.

More info : https://oauth.net/2/scope/

Answer 2

JWT’s have an ‘aud’ claim to specify the audience for which they’re valid. Resource servers are supposed to validate that the bearer token came from a member of the audience. So copying the token from ‘good_host’ and trying to use it from ‘bad_host’ should fail.

Answer 3

that's why you should use token authorization only with HTTPS. With HTTPS the channel between client and server is protected and so your token it's not easily stolen.