0

How do APIs that could be accessed from anywhere, but need authentication handle JWTs if you can't set Access-Control-Allow-Origin: * and fetch(url, { credentials: "include", }); simultaneously?

For example, if you have a public site that anyone can register for and they make requests from their browser, how can your API know which origins to whitelist?

Sean
  • 23
  • 5

1 Answers1

1

You can use token based authentication, where the client sends the JWT token as an authorization header with each request to the API, and the server checks the token to ensure that it is valid before allowing the request to proceed. The server also checks the "origin" header of the incoming request to determine if it is an allowed origin, and may use a dynamic whitelist approach to allow users to add their own origins to the list of allowed origins when they register for the API.

Jalpa Tank
  • 26
  • 2
  • 1
    Thanks for your answer! I was concerned about how to store the token, but after some more digging, I found this: https://stackoverflow.com/questions/71721867/how-to-securely-implement-authentication-in-single-page-applications-spas-with – Sean Apr 09 '23 at 01:50