In this article, we would be learning about JWT’s and why you should use them for authorizations.
JSON web token (
Let’s break this down
JWT is used for AUTHORIZATION, not AUTHENTICATION.
- In authentication, we take in a username and password and make sure it’s correct (logging in).
- In authorization, we make sure the user who is sending requests to your server is the same user who logged in during authentication. This is usually done using Sessions, where a session ID is sent down to the browser’s cookies and moved ahead to authorize the user.
Session based authentication
USE OF SESSIONS AND COOKIES
In session based authentication, the user logs in from a client (by posting an email and password to a client), and the server does the authentication. If this is correct, the user is stored in the session, and the session is stored on the
Token based authentication
JSON Web Tokens
Why JWT?
Instead of storing information on the server after authentication, JWT creates a JSON web token and encodes, sterilizes, and adds a signature with a secret key that cannot be tampered with. This key is then sent back to the browser. Each time a request is sent, it verifies and sends the response back.
The main difference here is that the user’s state is not stored on the server, as the state is instead stored inside the token on the client-side.
JWT also allows us to use the same JSON Web Token in multiple servers that you can run without running into problems where one server has a certain session, and the other server doesn’t.
Most modern web applications use JWT for authentication reasons like scalability and mobile device authentication.