8

I'm new to JWT. I have an endpoint for session creation. A request is made by my mobile app. Currently I have it so that when a user signs in successfully, I return the JWT in the Authorization Bearer header:

new_conn
|> put_status(:created)
|> put_resp_header("authorization", "Bearer #{jwt}") #<-----------
|> render("show.json", session: user)

However, this is a little tricky to read from my client side. Is it safe for me to return it in the JSON response instead?

bigpotato
  • 26,262
  • 56
  • 178
  • 334

1 Answers1

17

When the client sends their credentials to the server (to exchange them for a token), the recently issued token can be returned in the response payload as text or as JSON, it's up to you:

HTTP/1.1 200 OK
Date: Wed, 19 Apr 2017 09:51:12 GMT
Content-Type: text/plain

xxxxx.yyyyy.zzzzz

HTTP/1.1 200 OK
Date: Wed, 19 Apr 2017 09:51:12 GMT
Content-Type: application/json

{ "token" : "xxxxx.yyyyy.zzzzz" }

What you must keep in mind is the communication between client and server: It must be done over HTTPS to ensure that the message won't be tampered with.

And when the client sends the token to the server, it should be sent in the Authorization header (again over HTTPS):

GET /api/greetings HTTP/1.1
Host: example.org
Authorization: Bearer xxxxx.yyyyy.zzzzz

The Authorization header is supposed to carry credentials. And when talking about an authentication schema based on tokens, the tokens are credentials and frequently prefixed with Bearer, that indicates the authentication schema. This answer will shed some light on this.

Finally, it is worthwhile to mention that the Authorization header is designed to be used in the request and not in the response.

Community
  • 1
  • 1
cassiomolin
  • 124,154
  • 35
  • 280
  • 359
  • 2
    Actually https://tools.ietf.org/html/rfc7519#section-10.3.1 defines `application/jwt` for plain tokens. Using it could simplify the token management by a filter targeting this specific content type. – Alessio Gaeta Sep 09 '19 at 08:01