JSON Web Tokens (JWTs)
server to server Authorization - you're the same user that logged in before
API authentication - right username and pass
Why¶
- Server doesn't need to store sessions
- no Redis
When to use¶
- SSO
- logging into bank server
- logging into retirement/investment server
- where both servers have the same shared secret
- although you could just have the same shared Redis instance with all the sessions
- server-to-server authorization
- API authorization
- when you register to use an API, they give you a secret JWT
Cons¶
- can't invalidate sessions
- if someone's session is hijacked
How to store a JWT¶
- HTTP only cookie
Last update:
2023-04-24