Intro to JSON Web Tokens


  1. Understand what a JSON Web Token is and how it's used
  2. Be able to protect a server-side endpoint with a JWT
  3. Understand similarities/differences between JWTs and other authentication methods

What if...

"someone discovers a server-side endpoint used for sharing private photographs"

We can protect access to this endpoint by requiring authentication through the use of a JWT


With a partner, discuss the following questions:

  1. What did you use API keys for? Why did you need them?
  2. How did you use them? Where did you put them in your codebase?
  3. What problems, if any, did you run into when using them?

What is a JWT?

  • a string
  • ...that is base64url-encoded
  • ...and contains authentication data for a particular user

Let's take a look at the anatomy of a JWT

How Can we use JWTs?

By passing them through a request to the server, either:

  • in the request body
  • as a query parameter
  • as an authorization header

Why do we use JWTs?

To verify that a request is coming from an authentic source

  • to prevent data from being exposed to unauthorized users
  • to limit access to features of an application
  • authentication does not equal full security