JWT Authentication


JWT Authentication is when the user successfully logs in using his credentials, a JSON Web Token will be returned from the Authentication Method and must be saved locally (typically in localStorage, but cookies can be also used), instead of the traditional approach of creating a session in the server and returning an Authentication cookie.

Whenever the user wants to access a protected route or resource, the user-agent should send the JSON Web Token, typically in the Authorization Header using the Bearer schema which a non-normative example is shown below:

Authorization: Bearer <token>

JWT Authentication allows a stateless authentication Method as the user state is never saved in server memory. The server's protected Resources will check for a valid JSON Web Token in the Authorization Header, and if it's present, the user will be allowed to access protected Resource. As JSON Web Tokens are self-contained, all the necessary information is there, reducing the need to query the database multiple times.

JWT Authentication also allows you to fully rely on data APIs that are stateless and even make requests to downstream services. Since is does not matter which Security Domain are serving your APIs, so Cross Origin Resource Sharing (CORS) will not be an issue as you do have when using Authentication cookies.

More Information#

There might be more information for this subject on one of the following: