Skip to content

JSON Web Tokens (JWTs)

server to server Authorization - you're the same user that logged in before

API authentication - right username and pass

Intro to JWT

Don't use JWTs for Auth


  • Server doesn't need to store sessions
  • no Redis

When to use

  • SSO
    • logging into bank server
    • logging into retirement/investment server
    • where both servers have the same shared secret
    • although you could just have the same shared Redis instance with all the sessions
  • server-to-server authorization
  • API authorization
    • when you register to use an API, they give you a secret JWT


  • can't invalidate sessions
    • if someone's session is hijacked

How to store a JWT

  • HTTP only cookie

Last update: 2023-04-24