Why use tokens

Tokens can be generated from anywhere. Token generation is decoupled from token verification allowing you the option to handle the signing of tokens on a separate server or even through a different company such us Auth0. Fine-grained access control. Within the token payload you can easily specify user roles and permissions as well as resources that the user can access.

Keep it secret. Keep it safe. The signing key should be treated like any other credentials and revealed only to services that absolutely need it.

Do not add sensitive data to the payload. Tokens are signed to protect against manipulation and are easily decoded. Add the bare minimum number of claims to the payload for best performance and security. Give tokens an expiration. Technically, once a token is signed — it is valid forever — unless the signing key is changed or expiration explicitly set.

Do not send tokens over non-HTTPS connections as those requests can be intercepted and tokens compromised. Consider all of your authorization use cases. Adding a secondary token verification system that ensure tokens were generated from your server, for example, may not be common practice, but may be necessary to meet your requirements.

JWT Authentication with Auth0 We will need to make some slight modifications to our code to showcase the authentication flow with Auth0. You should follow token best practices when using access tokens, and for JWTs, make sure that you validate an access token before assuming that its contents can be trusted. By default, an access token for a custom API is valid for seconds 24 hours. We recommend that you set the validity period of your token based on the security requirements of your API. For example, an access token that accesses a banking API should expire more quickly than one that accesses a to-do API.

To learn more, see Update Access Token Lifetime. The length of lifetime depends on the flow used to obtain the token:. Was this article helpful? Contact sales Log in Sign up. Opaque access tokens. JWT access tokens. Management API access tokens. Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. What is token-based authentication? Ask Question. Asked 12 years ago. Active 4 months ago.

Viewed k times. Improve this question. Luke Girvin I have read a lot of descriptions, but they all seemed light on concrete details. This article finally helped me: scotch.

Add a comment. Active Oldest Votes. I think it's well explained here -- quoting just the key sentences of the long article: The general concept behind a token-based authentication system is simple.

Improve this answer. Alex Martelli Alex Martelli k gold badges silver badges bronze badges. Am I correct in thinking that in a web application, one or more cookies from the remote web site performs the function of the token?

Obviously they could only use it for x amount of time, but during that period they could do all the damage they needed to. SaurabhVerma it's different from a session because you don't have to store the information in a cookie. That is great for mobile devices, some of which have restrictions on cookie usage.

Show 11 more comments. What are the benefits of using a token-based approach? Ryan Wheale Asik Asik 7, 4 4 gold badges 25 25 silver badges 33 33 bronze badges. Asik All points here are valid except "Stateless" when you start dealing with token revocation, blacklisting, reply attack prevention etc.

The cited site recommends a newer article on the same topic: auth0. Otherwise at-least one db access per api call is necessary. You might want to read "Stop using JWT for sessions": cryto. Link is now broken. Show 1 more comment. Generally, if you want token-based authentication, you should start with OAuth.

OAuth is certainly viable in a Web-based application. But, for example, operating system login sessions use token systems as well, as do many other kinds of software program, so this idea is not limited to the Web. A token is probably also preferable for a non-public customer support system.

Pang 8, gold badges 82 82 silver badges bronze badges. DeepakK DeepakK 4 4 silver badges 2 2 bronze badges.