Intro to JSON Web Tokens
- Understand what a JSON Web Token is and how it's used
- Be able to protect a server-side endpoint with a JWT
- Understand similarities/differences between JWTs and other authentication methods
"someone discovers a server-side endpoint used for sharing private photographs"
We can protect access to this endpoint by requiring authentication through the use of a JWT
With a partner, discuss the following questions:
- What did you use API keys for? Why did you need them?
- How did you use them? Where did you put them in your codebase?
- What problems, if any, did you run into when using them?
What is a JWT?
- a string
- ...that is base64url-encoded
- ...and contains authentication data for a particular user
Let's take a look at the anatomy of a JWT
How Can we use JWTs?
By passing them through a request to the server, either:
- in the request body
- as a query parameter
- as an authorization header
Why do we use JWTs?
To verify that a request is coming from an authentic source
- to prevent data from being exposed to unauthorized users
- to limit access to features of an application
- authentication does not equal full security