Question 1

How secure is it to send JWT tokens in URLs?

Accepted Answer

Sending JWTs in URLs is insecure without HTTPS, as tokens can be intercepted. The tutorial recommends using HTTPS and considering single-use tokens for sensitive operations like password resets.

Question 2

What's the best way to store JWT tokens in a browser app?

Accepted Answer

For browser-based apps, localStorage is recommended for storing tokens between sessions, but cookies can be used if set securely. The tutorial discusses trade-offs and suggests localStorage for better control.

Question 3

How do I invalidate a JWT token if a user's device is stolen?

Accepted Answer

To invalidate tokens, you need to store them in a database like Redis or LevelDB and mark them as invalid. The tutorial explains this approach, which adds state but ensures security.

Question 4

JWT vs session cookies: which is better for authentication?

Accepted Answer

JWTs are stateless and scalable for APIs, while session cookies are simpler for web apps with server-side rendering. The tutorial highlights JWTs for stateless authentication but notes cookies still have their place.

Question 5

How to generate a secret key for JWT signing?

Accepted Answer

You can use a strong password or generate a random key with Node.js crypto. The tutorial provides a command: node -e 'console.log(require("crypto").randomBytes(32).toString("hex"));' for creating a secure key.

Question 6

Can I use this JWT example with Express or Hapi.js?

Accepted Answer

Yes, but you'll need to adapt the code. The tutorial is framework-agnostic Node.js, and it references a Hapi.js plugin (hapi-auth-jwt2) for easier integration with Hapi.

Learn how to use JWT for Authentication

What is Learn how to use JWT for Authentication?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions