Stack Overflow
Stack Overflow

Questions tagged [json-web-token]

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.

The suggested pronunciation of JWT is the same as the English word "jot".

Source

243 questions
61
votes
3 answers

JSON Web Token (JWT) benefits over a database session token

With a database session token system I could have a user login with a username/password, the server could generate a token (a uuid for example) and store it in the database and return that token to the client. Every request from thereon would…
ajeetdl
  • 1,254
  • 1
  • 13
  • 17
45
votes
1 answer

JWT: What's a good secret key, and how to store it in an Node.js/Express app?

Firstly, what's a good method of generating a secret key? I should punch in a lot of random keys on my keyboard to generate one, but there must be a better solution to this. Explain the way to generate a very good key. Second, what's a good way to…
Sam
  • 6,414
  • 11
  • 46
  • 61
36
votes
4 answers

jsonwebtoken.sign() fails with expiresIn option set

I need to get a token by signing a user ID with JWT: var token = jwt.sign(accounts[request.headers.login].id, privateKey, {expiresIn: 60}); Where id and privateKey are strings. The error is Error: Uncaught error: "expiresIn" should be a number of…
Sergei Basharov
  • 51,276
  • 73
  • 200
  • 335
34
votes
7 answers

JWT Verify client-side?

I have a nodejs api with an angular frontend. The API is successfully using JWT with passport to secure it's endpoints. I am now conscious that after the tokens have expired, my front end will still allow the user to request my api endpoints…
George Edwards
  • 8,979
  • 20
  • 78
  • 161
29
votes
1 answer

When is JWTSecurityTokenHandler.ValidateToken() actually valid?

I am attempting to create a token validation method that returns true if a JWT token is valid based on the signature. I don't think I really need to validate everything in the token but what actually signifies a token is valid after calling…
Adam
  • 4,590
  • 10
  • 51
  • 84
27
votes
1 answer

Refresh Token Jsonwebtoken

I am using jsonwebtoken in NodeJs API application for authenticating user in my API application. The flow that I have setup is as follows: 1) The user registers through signup API and the access token is generated using the following: var jwt =…
XCEPTION
  • 1,671
  • 1
  • 18
  • 38
25
votes
6 answers

is there a way to parse claims from an expired JWT token?

If we try to parse an expired JWT, results in expired exception. Is there a way to read claims even the JWT was expired. Below is used to parse JWT in java: Jwts.parser().setSigningKey(secret.getBytes()).parseClaimsJws(token).getBody();
Sivaprakash
  • 295
  • 1
  • 3
  • 9
21
votes
3 answers

Is it ok to store user credentials in the JWT

Is it ok to store user credentials (username / password) in the JWT (so sign it and verify the resulted token later)? I heard that No, it is not secure to send a password in a JWT. This is because the JWT claims are simply encoded and can easily…
FrozenHeart
  • 19,844
  • 33
  • 126
  • 242
18
votes
4 answers

UnauthorizedError: invalid algorithm express-jwt

I am displaying some data on my website which returns from node server. It's works perfectly until today. Now I am getting below error on my server console when I go to my web page. I use Auth0 for signin in users. UnauthorizedError: invalid…
Bishan
  • 15,211
  • 52
  • 164
  • 258
18
votes
4 answers

Unable to set Exp and Iat for JWT correctly

I am a bit stumped by this one. I am trying to set up a valid JWT. I am using node.js with the jsonwebtoken middleware. I have followed the documentation located on the repo (located here), but I keep getting the wrong Exp and Iat. Obviously I would…
Ebbs
  • 1,030
  • 3
  • 20
  • 38
16
votes
2 answers

How to handle JWT revocation with MQTT

Following the instructions in this Auth0 article, I successfully authenticated MQTT clients using "JWT" as username and the JWT token as a password. In my use case, however, JWT tokens are short-lived. Clients must fetch a new token before the…
Arthur C
  • 1,274
  • 1
  • 14
  • 34
15
votes
2 answers

Passport & JWT & Google Strategy - Disable session & res.send() after google callback

Using: passport-google-oauth2. I want to use JWT with Google login - for that I need to disable session and somehow pass the user model back to client. All the examples are using google callback that magically redirect to '/'. How do I: 1. Disable…
chenop
  • 4,743
  • 4
  • 41
  • 65
15
votes
1 answer

Best Practice handling user data with JWT

I'm implementing stateless REST API via Json Web Tokens (JWT). At the moment, I'm wondering what is the best approach to pass the user data to the front end. Those are the fields I would need to access on the front-end username, email, role,…
Websirnik
  • 1,372
  • 3
  • 21
  • 35
14
votes
3 answers

Time expiration issue in JWT

As you know, there are some good reasons for using token based authentication instead of session based. In session based, of course there is a expiration time. So if user is not active for a while, his session get expired. But before expiring, if he…
Vahid Najafi
  • 4,654
  • 11
  • 43
  • 88
13
votes
3 answers

How to keep client JSON web token secure in a React Native app?

We are building a React Native app for iOS and we are using an internal API built on node + express + jsonwebtoken. When the user logs in with username/password, the server validates those credentials and sends the client back a JSON web token that…
Ryan
  • 5,883
  • 13
  • 56
  • 93
1
2 3
16 17