If I get a JWT and I can decode the payload, how is that secure? Couldn’t I just grab the token out of the header, decode and change the user information in the payload, and send it back with the same correct encoded secret? I know they must be secure, but I just would really … Read more
I have a new SPA with a stateless authentication model using JWT. I am often asked to refer OAuth for authentication flows like asking me to send ‘Bearer tokens’ for every request instead of a simple token header but I do think that OAuth is a lot more complex than a simple JWT based authentication. … Read more
For a new node.js project I’m working on, I’m thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store containing user sessions in a user’s browser) to a token-based session approach (no key-value store) using JSON Web Tokens (jwt). The project is a game … Read more
I would like to implement JWT-based authentication to our new REST API. But since the expiration is set in the token, is it possible to automatically prolong it? I don’t want users to need to sign in after every X minutes if they were actively using the application in that period. That would be a … Read more
