API Authentication

JSON Web Token

  • JWT is a format

  • It can be used for many purposes

    • ID Tokens are always JWTs

    • Access tokens can be JWTs

    • Refresh Tokens are "never" JWTs

  • Most often signed (JWS)

  • Can be encrypted (JWE)

Signed - JWS

  • Proves who issued the token

  • The prominent way for JWTs

  • Asymmetric signatures

  • Always whitelist algorithms allowed

  • Don't rely on signature verify contents as well

    • Audience

    • Issuer

    • Expiration

Encrypted - JWE

  • Keeps data confidential

  • Used in OpenID Connect

  • ID Tokens

  • User info responses

  • Not practical for access tokens

  • Opaque tokens are preferred to keep confidentiality

JWTs and Protocols

A JWT is not a protocol.

They can be used in different ways depending on protocols

They should not be used against the protocol's intention.

Example

  • Access tokens are for the API

  • They are issued to the client

  • The client should bot decode the access token

PreviousUsing a DPoP Access TokenNextSummary

Last updated