Question 1

How do I handle JWT token expiration in a Ruby API?

Accepted Answer

Use the 'exp' claim when encoding with JWT.encode, and catch JWT::ExpiredSignature during decode. The README shows how to add leeway for clock skew and disable verification if needed.

Question 2

Should I use ruby-jwt or Devise for authentication in Rails?

Accepted Answer

ruby-jwt is for JWT token handling only, ideal for stateless APIs. Devise provides full authentication with database sessions and UI. Pair ruby-jwt with a user management layer if you need JWT-based auth.

Question 3

Is ruby-jwt secure for production use?

Accepted Answer

Yes, it emphasizes security with explicit algorithm verification to prevent attacks, supports strong OpenSSL-based algorithms, and is actively maintained with sponsorship from Auth0, ensuring reliability and updates.

Question 4

How to rotate keys with JWK in ruby-jwt?

Accepted Answer

Use JWT::JWK::Set to manage key sets and the jwks loader option in decode to dynamically fetch keys. This allows seamless rotation by updating the JWKS without downtime, as explained in the JWK integration section.

Question 5

What's the difference between HS256 and RS256 in ruby-jwt?

Accepted Answer

HS256 uses a shared secret key for HMAC signing, suitable for single-server apps. RS256 uses RSA public/private keys, better for distributed systems where public keys can be shared, but requires more key management setup.

Question 6

Can I add custom claims to JWTs in Ruby?

Accepted Answer

Yes, simply include custom key-value pairs in the payload hash when encoding. They become part of the token without special setup, but avoid conflicts with reserved claims like 'exp' or 'iss'.

JWT

What is JWT?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions