re: Be careful of the JWT hype train VIEW POST

TOP OF THREAD FULL DISCUSSION
re: I think there's way too much hype around it and people are using JWT because it's shiny! As our industry shifts our paradigm from monoliths to mi...
 

Static site with API backend is not a use case for using JWT.

I use “static” frontends regularly with GraphQL backends and still use sessions with secure httpOnly cookies so they can’t be accessed by the browser.

IMO JWTs are okay for what I refer to as “loose” authentication (when you quickly want to hide some nonsensitive data behind a login using a service such as Auth0 but your not necessarily exposing sensitive data).

Always, when exposing potentially sensitive data, use sessions with secure httpOnly cookies.

 

Static site with API backend is not a use case for using JWT.

it is also not NOT a use case.

I like JWT when you have multiple distributed systems that need to share a single authentication that a single system doesn't have the authority to maintain itself.

Authentication as a Service.

code of conduct - report abuse