Tag Archives: WEB TOKEN

Using JSON Web Tokens as API Keys

via Using JSON Web Tokens as API Keys.

Most APIs today use an API Key to authenticate legitimate clients. API Keys are very simple to use from the consumer perspective:

  1. You get an API key from the service (in essence a shared secret).
  2. Add the key to an Authorization header.
  3. Call the API.

It can’t get simpler than that, but this approach has some limitations.

The last couple of months, we’ve been working on our API v2. We wanted to share what we’ve learnt implementing a more powerful security model using JSON Web Tokens.

Using a JSON Web Token offers many advantages:

  • Granular Security: API Keys provide an all-or-nothing access. JSON Web Tokens can provide much finer grained control.
  • Homogenous Auth Architecture: Today we use cookies, API keys, home grown SSO solutions, OAuth etc. Standardizing on JSON Web Tokens gives you an homogenous token format across the board.
  • Decentralized Issuance: API keys depend on a central storage and a service to issue them. JSON Web Tokens can be “self-issued” or be completely externalized, opening interesting scenarios as we will see below.
  • OAuth2 Compliance: OAuth2 uses an opaque token that relies on a central storage. You can return a stateless JWT instead, with the allowed scopes and expiration.
  • Debuggability: API keys are opaque random strings. JSON Web Tokens can be inspected.
  • Expiration Control: API keys usually don’t expire unless you revoke them. JSON Web Tokens can (and often do) have an expiration.
  • Devices: You can’t put an API key that has full access on a device, because what is on a phone or tablet can easily be stolen. But you can put a JWT with the right set of permissions.


via How to Write a REST API – Jixee.

[Editor’s Note: We’re starting a new series on this blog, called Jixee Hotfix. It will feature real problems that our engineering team encounter on a weekly basis and the solutions they come up with to fix it. Posts are written by the engineers encountering the problems. This post was written by our VP of Ops, Eric Norton.]

This article is the first in a series that will show you how to write a REST API written in NodeJS and Express, that uses MongoDB to store data, and JSON Web Tokens(JWT)  to provide a simple authentication mechanism.  For those who came here wanting to learn about JSON Web Tokens (JWT) authentication, that is covered in part 2 here.  This installment of the series will only cover details on how to create a REST API using MongoDB as a persistent data store.

You might be asking yourself, ‘why another REST API tutorial?’ With a substantial amount of great articles out there on the subject, it’s a fair question.  Let me give a little background on this project to explain.  A task fell in my lap a short time ago that required a simple REST API to import and export data stored by one of our services.   In my search for a simple solution, I found many great blog articles that covered some of the concepts I was interested in, but not all.  For instance, some discussed building APIs that stored and retrieved data, and some discussed simple JWT auth, but did not cover how you would incorporate a persistent data store.   I decided that I’d like to write an article that combines all of the concepts I was looking for into one concise resource.  While I will cover a lot of the concepts I learned in the aforementioned articles, I encourage you to take a look at what inspired this post, as they are great resources on the subject matter:

Creating A Simple Restful Web App with NodeJS, Express, and MongoDB
REST follow-up exercise, implementing a PUT into a simple web app
Architecting a Secure RESTful Node.js app
Express.js 4, Node.js and MongoDB REST API Tutorial
Build a RESTful API in 5 Minutes with NodeJS – Updated