used for authentication until they expire some day • Its hard to invalidate sessions • You have to manage and scale session storage for your web servers • You have to configure CORS for your API requests if they are on a different domain
sort of API keys for your clients manually • You have to do everything from scratch: issuing, authorization, expiration, invalidation • You key will be just an authentication token
Payload, Signature • Header typically has a token type and an algorithm being used (HMAC SHA256 or RSA) • Payload contains claims, reserved (iat, exp, nbf, iss, aud) and custom (e.g. name, email) • Signature is a concatenation of an encoded header and a payload plus a secret signed by an algorithm specified in the header
information about the user. • Compact. Because of their smaller size, JWTs can be sent through a URL, POST parameter, or inside a HTTP header. • Secure. Information can be verified and trusted because it is cryptographically signed.
claims (e.g exp) before you trust any information in the JWT. PyJWT does it for you by default. • Secure the secret signing key used for creating and verifying the signature • Do not put any sensitive data in a JWT • Use asymmetric encryption (RSA / ECDSA)
access a resource directly (short-lived) • Refresh tokens carry the information necessary to get a new access token (long-lived) • Refresh tokens improve security and allow for reduced latency