DEV Community: Chris The latest articles on DEV Community by Chris (@rozaru). https://dev.to/rozaru https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3886527%2F522ab062-1d8f-4d49-b2b3-8d7482163fbd.jpg DEV Community: Chris https://dev.to/rozaru en Rails 8 API with Devise-JWT Chris Sun, 19 Apr 2026 23:28:03 +0000 https://dev.to/rozaru/rails-8-api-with-devise-jwt-2136 https://dev.to/rozaru/rails-8-api-with-devise-jwt-2136 <p>Here, i will be building an API and documenting my steps. if something is wrong, feel free to comment.</p> <p><strong>What is Devise-JWT?</strong></p> <ul> <li>Devise-JWT is a Devise extension that uses JSON Web Tokens (JWTs) to secure API endpoints. When a user logs in, Devise-JWT issues a token that the client must include in requests to prove their identity. Additionally, Devise-JWT generates a JTI(JWT ID)—a unique identifier for each access token, which is stored in the user's database record. This allows the system to track and invalidate tokens by ensuring the token's JTI matches the one currently stored in the database</li> </ul> <h2> Setting Up the Project </h2> <p><strong>1. Create a Rails API application with postgresql</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rails new backend <span class="nt">--api</span> <span class="nt">--database</span><span class="o">=</span>postgresql <span class="nb">cd </span>backend rails db:create <span class="c"># Creates below 2 databases</span> <span class="c"># Created database 'backend_development'</span> <span class="c"># Created database 'backend_test'</span> </code></pre> </div> <p><strong>2. Configure Rack-CORS for API only application</strong></p> <blockquote> <p>Update Gemfile to add/uncomment gem 'rack-cors'<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">gem</span> <span class="s1">'rack-cors'</span> </code></pre> </div> <blockquote> <p>Add the following contents to config/initializers/cors.rb file.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1">#config/initializers/cors.rb</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">config</span><span class="p">.</span><span class="nf">middleware</span><span class="p">.</span><span class="nf">insert_before</span> <span class="mi">0</span><span class="p">,</span> <span class="no">Rack</span><span class="o">::</span><span class="no">Cors</span> <span class="k">do</span> <span class="n">allow</span> <span class="k">do</span> <span class="n">origins</span> <span class="s1">'http://localhost:3000'</span> <span class="n">resource</span><span class="p">(</span> <span class="s1">'*'</span><span class="p">,</span> <span class="ss">headers: :any</span><span class="p">,</span> <span class="ss">expose: </span><span class="p">[</span> <span class="s2">"Authorization"</span> <span class="p">],</span> <span class="ss">methods: </span><span class="p">[</span><span class="ss">:get</span><span class="p">,</span> <span class="ss">:patch</span><span class="p">,</span> <span class="ss">:put</span><span class="p">,</span> <span class="ss">:delete</span><span class="p">,</span> <span class="ss">:post</span><span class="p">,</span> <span class="ss">:options</span><span class="p">,</span> <span class="ss">:show</span><span class="p">]</span> <span class="p">)</span> <span class="k">end</span> <span class="k">end</span> <span class="c1"># without expose Authorization, the frontend can't read the JWT</span> </code></pre> </div> <p><strong>3. Add the following gems and run bundle install.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">gem</span> <span class="s1">'devise'</span> <span class="n">gem</span> <span class="s1">'devise-jwt'</span> <span class="n">gem</span> <span class="s1">'jsonapi-serializer'</span> <span class="c1">#devise handles Authentication</span> <span class="c1">#devise-jwt adds JWT Token on top of Devise, in turn issues a </span> <span class="c1">#token on login, revoke it on logout, validate it on every request.</span> <span class="c1">#jsonapi-serializer handles which fields get exposed, formats responses.</span> </code></pre> </div> <p><strong>4. Configure devise</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rails generate devise:install </code></pre> </div> <p>Devise:install creates the following: JWT Settings, Mailer sender Address, Password length requirements, token expiry</p> <blockquote> <p>Update for API only apps, navigation format should be empty<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1">#config/initializers/devise.rb</span> <span class="n">config</span><span class="p">.</span><span class="nf">navigational_formats</span> <span class="o">=</span> <span class="p">[]</span> </code></pre> </div> <p><strong>5. Create User model</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rails generate devise User rails db:create db:migrate </code></pre> </div> <blockquote> <p>Generate Controllers to later handle sign-up, login and logout<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rails g devise:controllers api/v1 <span class="nt">-c</span> sessions registrations </code></pre> </div> <blockquote> <p>Update Sessions and Registrations Controllers<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1">#app/controllers/users/sessions_controller.rb</span> <span class="k">class</span> <span class="nc">Users::SessionsController</span> <span class="o">&lt;</span> <span class="no">Devise</span><span class="o">::</span><span class="no">SessionsController</span> <span class="n">respond_to</span> <span class="ss">:json</span> <span class="k">end</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1">#app/controllers/users/registrations_controller.rb</span> <span class="k">class</span> <span class="nc">Users::RegistrationsController</span> <span class="o">&lt;</span> <span class="no">Devise</span><span class="o">::</span><span class="no">RegistrationsController</span> <span class="n">respond_to</span> <span class="ss">:json</span> <span class="k">end</span> </code></pre> </div> <blockquote> <p>Add the routes aliases to override default routes provided by devise in the routes<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1">#config/routes.rb</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">routes</span><span class="p">.</span><span class="nf">draw</span> <span class="k">do</span> <span class="n">devise_for</span> <span class="ss">:users</span><span class="p">,</span> <span class="ss">path: </span><span class="s2">"api/v1"</span><span class="p">,</span> <span class="ss">path_names: </span><span class="p">{</span> <span class="ss">sign_in: </span><span class="s2">"login"</span><span class="p">,</span> <span class="ss">sign_out: </span><span class="s2">"logout"</span><span class="p">,</span> <span class="ss">registration: </span><span class="s2">"signup"</span> <span class="p">},</span> <span class="ss">controllers: </span><span class="p">{</span> <span class="ss">sessions: </span><span class="s2">"api/v1/sessions"</span><span class="p">,</span> <span class="ss">registrations: </span><span class="s2">"api/v1/registrations"</span> <span class="p">}</span> <span class="k">end</span> </code></pre> </div> <p><strong>6. Configure Devise-JWT</strong><br> JWT needs to be created with a secret private key that shouldn't be revealed to the public.</p> <blockquote> <p>Run in terminal to create a secret<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rails secret </code></pre> </div> <blockquote> <p>Run in terminal to open .yml<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">EDITOR</span><span class="o">=</span><span class="s1">'code --wait'</span> rails credentials:edit </code></pre> </div> <blockquote> <p>Add devise_jwt_secret_key and paste secret<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># Other secrets... </span> <span class="ss">devise_jwt_secret_key: </span><span class="s2">"paste rails secret"</span> <span class="c1">#Save with cmd + s, after press cmd + w for yml to close</span> <span class="c1">#wait 2s, and verify in terminal for "File encrypted and saved".</span> </code></pre> </div> <blockquote> <p>You can verify secret key in the terminal with:<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rails credentials:show </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1">#config/initializers/devise.rb</span> <span class="n">config</span><span class="p">.</span><span class="nf">jwt</span> <span class="k">do</span> <span class="o">|</span><span class="n">jwt</span><span class="o">|</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">secret</span> <span class="o">=</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">credentials</span><span class="p">.</span><span class="nf">fetch</span><span class="p">(</span><span class="ss">:devise_jwt_secret_key</span><span class="p">)</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">dispatch_requests</span> <span class="o">=</span> <span class="p">[</span> <span class="p">[</span> <span class="s2">"POST"</span><span class="p">,</span> <span class="sr">%r{^/api/v1/login$}</span> <span class="p">]</span> <span class="p">]</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">revocation_requests</span> <span class="o">=</span> <span class="p">[</span> <span class="p">[</span> <span class="s2">"DELETE"</span><span class="p">,</span> <span class="sr">%r{^/api/v1/logout$}</span> <span class="p">]</span> <span class="p">]</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">expiration_time</span> <span class="o">=</span> <span class="mi">15</span><span class="p">.</span><span class="nf">minutes</span><span class="p">.</span><span class="nf">to_i</span> <span class="k">end</span> </code></pre> </div> <p><strong>7. Set up a revocation strategy</strong></p> <ul> <li><p>Revocation of tokens is an important security concern. Devise-JWT gem comes with three revocation strategies out of the box. You can read more about them here <a href="https://medium.com/@ahmedosamaft/understanding-jwt-revocation-strategies-allowlist-denylist-and-jti-matcher-9d298893f8a1" rel="noopener noreferrer">Revocation JWT Strategies</a></p></li> <li><p>I’ll be going with a recommended one which is to store a single valid user attached token with the user record in the users table.</p></li> <li><p>Here, the model class acts itself as the revocation strategy. It needs a new string column with name jti to be added to the user. jti stands for JWT ID, and it is a standard claim meant to uniquely identify a token.<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rails g migration addJtiToUsers jti:string:index:unique </code></pre> </div> <blockquote> <p>Update migration file<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1">#db/migrate/xxxxxxxxx_add_jti_to_users.rb</span> <span class="k">def</span> <span class="nf">change</span> <span class="n">add_column</span> <span class="ss">:users</span><span class="p">,</span> <span class="ss">:jti</span><span class="p">,</span> <span class="ss">:string</span><span class="p">,</span> <span class="ss">null: </span><span class="kp">false</span> <span class="n">add_index</span> <span class="ss">:users</span><span class="p">,</span> <span class="ss">:jti</span><span class="p">,</span> <span class="ss">unique: </span><span class="kp">true</span> <span class="c1"># If you already have user records, you will need to initialize its `jti` column before setting it to not nullable. Your migration will look this way:</span> <span class="c1"># add_column :users, :jti, :string</span> <span class="c1"># User.all.each { |user| user.update_column(:jti, SecureRandom.uuid) }</span> <span class="c1"># change_column_null :users, :jti, false</span> <span class="c1"># add_index :users, :jti, unique: true</span> <span class="k">end</span> </code></pre> </div> <blockquote> <p>Run migration<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Rails db:migrate </code></pre> </div> <blockquote> <p>Update User file to add revocation strategy<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1">#app/models/user.rb</span> <span class="k">class</span> <span class="nc">User</span> <span class="o">&lt;</span> <span class="no">ApplicationRecord</span> <span class="kp">include</span> <span class="no">Devise</span><span class="o">::</span><span class="no">JWT</span><span class="o">::</span><span class="no">RevocationStrategies</span><span class="o">::</span><span class="no">JTIMatcher</span> <span class="c1"># Include default devise modules. Others available are:</span> <span class="c1"># :confirmable, :lockable, :timeoutable, :trackable and :omniauthable</span> <span class="n">devise</span> <span class="ss">:database_authenticatable</span><span class="p">,</span> <span class="ss">:registerable</span><span class="p">,</span> <span class="ss">:recoverable</span><span class="p">,</span> <span class="ss">:rememberable</span><span class="p">,</span> <span class="ss">:validatable</span><span class="p">,</span> <span class="ss">:jwt_authenticatable</span><span class="p">,</span> <span class="ss">jwt_revocation_strategy: </span><span class="nb">self</span> <span class="k">end</span> </code></pre> </div> <blockquote> <p>🔑 How JTI revocation works</p> </blockquote> <ul> <li><p>When a user logs in, Device-JWT create an access token with a jti claim (“abc-123”) that matches the user’s current jti in the database</p></li> <li><p>The token stays valid as long as a token.jti == user.jti</p></li> </ul> <p><strong>8. Add respond_with using jsonapi_serializers method</strong></p> <ul> <li>As we already added the jsonapi-serializer gem, we can now generate a serializer to configure the json format we’ll want to send to our back end API to the Front End. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rails generate serializer user <span class="nb">id </span>email created_at </code></pre> </div> <ul> <li>This will create a serializer with a predefined structure. Now, we have to add the attributes we want to include as a user response. So, we’ll add the user’s id, email and created_at. So the final version of user_serializer.rb looks like this: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1">#app/serializers/user_serializer.rb</span> <span class="k">class</span> <span class="nc">UserSerializer</span> <span class="kp">include</span> <span class="no">JSONAPI</span><span class="o">::</span><span class="no">Serializer</span> <span class="n">attributes</span> <span class="ss">:id</span><span class="p">,</span> <span class="ss">:email</span><span class="p">,</span> <span class="ss">:created_at</span> <span class="k">end</span> </code></pre> </div> <ul> <li>Now, we have to tell devise to communicate through JSON by adding these methods in the RegistrationsController and SessionsController </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">Api::V1::RegistrationsController</span> <span class="o">&lt;</span> <span class="no">Devise</span><span class="o">::</span><span class="no">RegistrationsController</span> <span class="n">respond_to</span> <span class="ss">:json</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">respond_with</span><span class="p">(</span><span class="n">resource</span><span class="p">,</span> <span class="n">_opts</span> <span class="o">=</span> <span class="p">{})</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="nf">method</span> <span class="o">==</span> <span class="s2">"POST"</span> <span class="o">&amp;&amp;</span> <span class="n">resource</span><span class="p">.</span><span class="nf">persisted?</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">status: </span><span class="p">{</span> <span class="ss">code: </span><span class="mi">201</span><span class="p">,</span> <span class="ss">message: </span><span class="s2">"Signed up successfully."</span> <span class="p">},</span> <span class="ss">data: </span><span class="no">UserSerializer</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">resource</span><span class="p">).</span><span class="nf">serializable_hash</span><span class="p">[</span><span class="ss">:data</span><span class="p">][</span><span class="ss">:attributes</span><span class="p">]</span> <span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">elsif</span> <span class="n">request</span><span class="p">.</span><span class="nf">method</span> <span class="o">==</span> <span class="s2">"DELETE"</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">status: </span><span class="p">{</span> <span class="ss">code: </span><span class="mi">204</span><span class="p">,</span> <span class="ss">message: </span><span class="s2">"Account deleted successfully."</span> <span class="p">}</span> <span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">else</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">status: </span><span class="p">{</span> <span class="ss">code: </span><span class="mi">422</span><span class="p">,</span> <span class="ss">message: </span><span class="s2">"User couldn't be created successfully. </span><span class="si">#{</span><span class="n">resource</span><span class="p">.</span><span class="nf">errors</span><span class="p">.</span><span class="nf">full_messages</span><span class="p">.</span><span class="nf">to_sentence</span><span class="si">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">},</span> <span class="ss">status: :unprocessable_entity</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">Api::V1::SessionsController</span> <span class="o">&lt;</span> <span class="no">Devise</span><span class="o">::</span><span class="no">SessionsController</span> <span class="n">respond_to</span> <span class="ss">:json</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">respond_with</span><span class="p">(</span><span class="n">resource</span><span class="p">,</span> <span class="n">_opts</span> <span class="o">=</span> <span class="p">{})</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">status: </span><span class="p">{</span> <span class="ss">code: </span><span class="mi">200</span><span class="p">,</span> <span class="ss">message: </span><span class="s2">"Logged in successfully."</span> <span class="p">},</span> <span class="ss">data: </span><span class="no">UserSerializer</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">resource</span><span class="p">).</span><span class="nf">serializable_hash</span><span class="p">[</span><span class="ss">:data</span><span class="p">][</span><span class="ss">:attributes</span><span class="p">]</span> <span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">respond_to_on_destroy</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">)</span> <span class="k">if</span> <span class="n">current_user</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">status: </span><span class="p">{</span> <span class="ss">code: </span><span class="mi">200</span><span class="p">,</span> <span class="ss">message: </span><span class="s2">"Logged out successfully."</span> <span class="p">}</span> <span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">else</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">status: </span><span class="p">{</span> <span class="ss">code: </span><span class="mi">401</span><span class="p">,</span> <span class="ss">message: </span><span class="s2">"Couldn't find an active session."</span> <span class="p">}</span> <span class="p">},</span> <span class="ss">status: :unauthorized</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p><strong>9. Configure Devise for Rails 8 API mode</strong></p> <ul> <li><p>In Rails 7 there is an unfixed bug in Devise. An issue on the Devise-JWT repo that discusses this problem including a few fixes. A work around was to create a racks session fix "ActionDispatch::Request::Session::DisabledSessionError"</p></li> <li><p>In Rails 8.1, store: false which will prevent Warden from storing user sessions.<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1">#config/initializers/devise.rb</span> <span class="no">Devise</span><span class="p">.</span><span class="nf">setup</span> <span class="k">do</span> <span class="o">|</span><span class="n">config</span><span class="o">|</span> <span class="c1"># ... existing code ...</span> <span class="n">config</span><span class="p">.</span><span class="nf">warden</span> <span class="k">do</span> <span class="o">|</span><span class="n">warden</span><span class="o">|</span> <span class="n">warden</span><span class="p">.</span><span class="nf">scope_defaults</span> <span class="ss">:user</span><span class="p">,</span> <span class="p">{</span> <span class="ss">store: </span><span class="kp">false</span> <span class="p">}</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p><strong>10. Testing with Postman</strong></p> <ul> <li>User Signup</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9duun8lv1hujqx12h2p3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9duun8lv1hujqx12h2p3.png" alt=" "></a></p> <ul> <li>User Login</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8evnwj86jgvjqcvn7zhq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8evnwj86jgvjqcvn7zhq.png" alt=" "></a></p> <blockquote> <p>After login, check if authorization token was received</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzdg7is9232jf8dk99lb5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzdg7is9232jf8dk99lb5.png" alt=" "></a></p> <ul> <li>User Logout</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk5925ny78rqysrgjf0w6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk5925ny78rqysrgjf0w6.png" alt=" "></a></p> <p><strong>Using JTI in server</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">rails</span> <span class="n">c</span> <span class="n">irb</span><span class="p">(</span><span class="n">main</span><span class="p">):</span><span class="mo">001</span><span class="o">&gt;</span> <span class="n">user</span> <span class="o">=</span> <span class="no">User</span><span class="p">.</span><span class="nf">find_by</span><span class="p">(</span><span class="ss">email: </span><span class="s2">"user@gmail.com"</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="c1">#&lt;User id: 1, ... , jti: "311b4143-5ef6-49a1-8d16-20c2739db951"&gt;</span> <span class="n">irb</span><span class="p">(</span><span class="n">main</span><span class="p">):</span><span class="mo">002</span><span class="o">&gt;</span> <span class="n">user</span><span class="p">.</span><span class="nf">update!</span><span class="p">(</span><span class="ss">jti: </span><span class="no">SecureRandom</span><span class="p">.</span><span class="nf">uuid</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="c1">#&lt;User id: 1, ... , jti: "c695964b-9b28-46b6-b97d-91cce9bd05d8"&gt;</span> </code></pre> </div> <ul> <li><p>Now with devise-jwt, each user has a jti, a unique identifier to their access token. One way to revoke the old token is to update the jti in console, essentially removing access to the old token and creating a new token in the process.</p></li> <li><p>How can JTI be used in future app?<br> You can create a force_logout in user controllers to nuke the tokens as a button in FrontEnd.<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">def</span> <span class="nf">force_logout</span> <span class="n">user</span> <span class="o">=</span> <span class="no">User</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="n">params</span><span class="p">[</span><span class="ss">:id</span><span class="p">])</span> <span class="no">User</span><span class="p">.</span><span class="nf">transaction</span> <span class="k">do</span> <span class="n">user</span><span class="p">.</span><span class="nf">update!</span><span class="p">(</span><span class="ss">jti: </span><span class="no">SecureRandom</span><span class="p">.</span><span class="nf">uuid</span><span class="p">)</span> <span class="k">end</span> <span class="n">head</span> <span class="ss">:no_content</span> <span class="k">end</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">namespace</span> <span class="ss">:api</span><span class="p">,</span> <span class="ss">defaults: </span><span class="p">{</span> <span class="ss">format: :json</span> <span class="p">}</span> <span class="k">do</span> <span class="n">namespace</span> <span class="ss">:v1</span> <span class="k">do</span> <span class="n">resources</span> <span class="ss">:users</span> <span class="k">do</span> <span class="n">post</span> <span class="ss">:force_logout</span><span class="p">,</span> <span class="ss">on: :member</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p><strong>Final JTI Explanation</strong></p> <ul> <li><p>In this setup, the <code>jti</code> value in the database only updates when a user explicitly triggers a revocation event, such as a logout request, password reset, or a force-logout perfomed via the console. Because the JTIMatcher strategy is being used, the jti stored in the user's database must match the jti claim inside the JWT for the token to be considered valid.</p></li> <li><p>This means that even though the access tokens are short-lived (expiring every 15 minutes), Devise will continue to issue tokens using the same stored jti until it is changed. Once the jti in the database is updated, every existing token containing the old ID is atomically rejected, effectively logging the user out accross all devices.</p></li> <li><p>You can test in jwt decoder sites like <a href="https://www.jwt.io/" rel="noopener noreferrer">jwt.io</a></p></li> </ul> <p><strong>When preparing to go live</strong></p> <ul> <li>Remember to edit production environment for you app. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># config/environments/production.rb</span> <span class="n">config</span><span class="p">.</span><span class="nf">action_mailer</span><span class="p">.</span><span class="nf">default_url_options</span> <span class="o">=</span> <span class="p">{</span> <span class="ss">host: </span><span class="s1">'yourapp.com'</span><span class="p">,</span> <span class="ss">protocol: </span><span class="s1">'https'</span> <span class="p">}</span> </code></pre> </div> <p><strong>Extra: Adding extra roles in JWT</strong></p> <ul> <li>When Building an app that distinguishes between a regular user and an admin. You’ll need roles. While you could fetch the user's role from the database on every request, adding it directly into the JWT is more efficient.</li> </ul> <blockquote> <p>To do this, add a jwt_payload method to the User model<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1">#app/models/user.rb</span> <span class="k">class</span> <span class="nc">User</span> <span class="o">&lt;</span> <span class="no">ApplicationRecord</span> <span class="c1"># ... existing code ...</span> <span class="k">def</span> <span class="nf">jwt_payload</span> <span class="k">super</span><span class="p">.</span><span class="nf">merge</span><span class="p">(</span> <span class="s2">"email"</span> <span class="o">=&gt;</span> <span class="n">email</span><span class="p">,</span> <span class="s2">"role"</span> <span class="o">=&gt;</span> <span class="n">role</span> <span class="c1"># Assuming you have a role</span> <span class="p">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p><strong>Why include roles in the token?</strong></p> <ul> <li><p>Instant Authorization: Since Devise-JWT already validates the token on every request, the API immediately knows if a user is an admin or a guest.</p></li> <li><p>A Smarter Frontend: React, Vue, or mobile frontend can decode the JWT to see the user's role instantly. This allows to show or hide admin dashboards and restrict navigation without having to make a separate "Who am I?" API call.</p></li> </ul> <p><strong>The "Role Sync" Situation</strong></p> <ul> <li><p>There is one important detail to keep in mind: JWTs are snapshots in time.</p></li> <li><p>When promoting a user to "Admin" in the database, their current JWT won't know that yet, it still contains the "User" role from when they first logged in. By default, they would have to wait for their token to expire (15 minutes) to see the change.</p></li> <li><p>The Better Solution: Since the JTIMatcher revocation strategy is being used, One can force an immediate update by rotating the user's jti at the same time their role is changed.</p></li> </ul> <blockquote> <p>This is in development environment, rails c<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># Upgrading a user's permissions</span> <span class="n">user</span><span class="p">.</span><span class="nf">update!</span><span class="p">(</span><span class="ss">role: </span><span class="s1">'admin'</span><span class="p">,</span> <span class="ss">jti: </span><span class="no">SecureRandom</span><span class="p">.</span><span class="nf">uuid</span><span class="p">)</span> </code></pre> </div> <ul> <li>By changing the jti in the database, the old token (with the old role) is automatically rejected because the token jti no longer matches the user jti. This forces the user to re-authenticate, ensuring they get a fresh token with their new admin powers immediately.</li> </ul> api learning rails