- JWT = Authorization token that must be included on all requests
- To get a token, we exchange an username+password for an access token and refresh token
- access token: short-lived (expires in minutes)
- refresh token: longer lived (ideally, 1 day).
- The refresh token is like a session.
- After the refresh token expires, you must ask for the username+password again.
- A token has the format
header.payload.signature, encoded in base64. - Decoded token example:
# header:
{
"typ": "JWT",
"alg": "HS256"
}
# payload:
{
"token_type": "access",
"exp": 1543828431,
"jti": "7f5997b7150d46579dc2b49167097e7b",
"user_id": 1
}
signature = header base64 + payload base64 + SECRET_KEY- Signature is verified by the JWT backend on each request, using the app
SECRET_KEY. - If the client changes information in token’s
header or payload, signature will be invalidated.