Stack Overflow
Stack Overflow

Questions tagged [jwt]

JSON Web Token (JWT, pronounced "jot") is a type of token-based authentication used in space-constrained environments such as HTTP Authorization headers. Use this tag for questions relating to the configuration, generation and usage of JWTs in your code.

JSON Web Token (JWT, pronounced "jot") is a token format for use in space-constrained environments such as HTTP authorization headers. It is defined in RFC 7519.

JWTs encode security "claims" as JSON objects and the token can be signed and or encrypted. JWT is used by the OpenID Connect authenticatication standard.

More information about JWT and libraries for different languages can be found on the official JWT site.

17340 questions
646
votes
17 answers

JWT (JSON Web Token) automatic prolongation of expiration

I would like to implement JWT-based authentication to our new REST API. But since the expiration is set in the token, is it possible to automatically prolong it? I don't want users to need to sign in after every X minutes if they were actively using…
maryo
  • 6,679
  • 3
  • 16
  • 9
630
votes
33 answers

Invalidating JSON Web Tokens

For a new node.js project I'm working on, I'm thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store containing user sessions in a user's browser) to a token-based session approach (no…
funseiki
  • 9,167
  • 9
  • 36
  • 59
583
votes
9 answers

What are the main differences between JWT and OAuth authentication?

I have a new SPA with a stateless authentication model using JWT. I am often asked to refer OAuth for authentication flows like asking me to send 'Bearer tokens' for every request instead of a simple token header but I do think that OAuth is a lot…
Venkatesh Laguduva
  • 13,448
  • 6
  • 33
  • 45
575
votes
9 answers

If you can decode JWT, how are they secure?

If I get a JWT and I can decode the payload, how is that secure? Couldn't I just grab the token out of the header, decode and change the user information in the payload, and send it back with the same correct encoded secret? I know they must be…
Z2VvZ3Vp
  • 7,033
  • 6
  • 21
  • 35
529
votes
23 answers

How to decode jwt token in javascript without using a library?

How can I decode the payload of JWT using JavaScript? Without a library. So the token just returns a payload object that can consumed by my front-end app. Example token: xxxxxxxxx.XXXXXXXX.xxxxxxxx And the result is the payload: {exp: 10012016 name:…
Chrisk8er
  • 5,660
  • 3
  • 14
  • 15
361
votes
4 answers

RS256 vs HS256: What's the difference?

I'm using Auth0 to handle authentication in my web app. I'm using ASP.NET Core v1.0.0 and Angular 2 rc5 and I don't know much about authentication/security in general. In the Auth0 docs for ASP.NET Core Web Api, there are two choices for the JWT…
Rico Kahler
  • 17,616
  • 11
  • 59
  • 85
350
votes
7 answers

JWT authentication for ASP.NET Web API

I'm trying to support JWT bearer token (JSON Web Token) in my web API application and I'm getting lost. I see support for .NET Core and for OWIN applications. I'm currently hosting my application in IIS. How can I achieve this authentication module…
Amir Popovich
  • 29,350
  • 9
  • 53
  • 99
346
votes
2 answers

Best HTTP Authorization header type for JWT

I'm wondering what is the best appropriate Authorization HTTP header type for JWT tokens. One of the probably most popular type is Basic. For instance: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== It handle two parameters such as a login and a…
Zag zag..
  • 6,041
  • 6
  • 27
  • 36
326
votes
7 answers

Where to store JWT in browser? How to protect against CSRF?

I know cookie-based authentication. SSL and HttpOnly flags can be applied to protect cookie-based authentication from MITM and XSS. However, more special measures will be needed to apply in order to protect it from CSRF. They are just a bit…
Timespace
  • 5,101
  • 7
  • 23
  • 32
311
votes
14 answers

Is it safe to store a JWT in localStorage with ReactJS?

I'm currently building a single page application using ReactJS. I read that one of the reasons for not using localStorage is because of XSS vulnerabilities. Since React escapes all user input, would it now be safe to use localStorage?
user6127082
295
votes
7 answers

Authentication: JWT usage vs session

What is the advantage of using JWTs over sessions in situations like authentication? Is it used as a standalone approach or is it used in the session?
Pourya8366
  • 3,424
  • 4
  • 21
  • 28
295
votes
5 answers

JWT refresh token flow

I'm building a mobile app and am using JWT for authentication. It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want. What does a refresh token look…
jtmarmon
  • 5,727
  • 7
  • 28
  • 45
290
votes
7 answers

What if JWT is stolen?

I am trying to implement stateless authentication with JWT for my RESTful APIs. AFAIK, JWT is basically an encrypted string passed as HTTP headers during a REST call. But what if there's an eavesdropper who see the request and steals the token? …
smwikipedia
  • 61,609
  • 92
  • 309
  • 482
234
votes
4 answers

What's the difference between JWTs and Bearer Token?

I'm learning something about Authorization like Basic, Digest, OAuth2.0, JWTs, and Bearer Token. Now I have a question. You know the JWTs is being used as an Access_Token in the OAuth2.0 standard. JWTs appears at RFC 7519, and Bearer Token is at RFC…
laoqiren
  • 3,457
  • 5
  • 19
  • 29
231
votes
6 answers

JWT vs cookies for token-based authentication

I read some posts about "JWT vs Cookie" but they only made me more confused... I want some clarification, when people talking about "token-based authentication vs cookies", cookies here merely refer to session cookies? My understanding is that…
watashiSHUN
  • 9,684
  • 4
  • 36
  • 44
1
2 3
99 100