re: Be careful of the JWT hype train VIEW POST

VIEW PARENT COMMENT VIEW FULL DISCUSSION
 

Static site with API backend is not a use case for using JWT.

I use “static” frontends regularly with GraphQL backends and still use sessions with secure httpOnly cookies so they can’t be accessed by the browser.

IMO JWTs are okay for what I refer to as “loose” authentication (when you quickly want to hide some nonsensitive data behind a login using a service such as Auth0 but your not necessarily exposing sensitive data).

Always, when exposing potentially sensitive data, use sessions with secure httpOnly cookies.

 

Static site with API backend is not a use case for using JWT.

it is also not NOT a use case.

I like JWT when you have multiple distributed systems that need to share a single authentication that a single system doesn't have the authority to maintain itself.

Authentication as a Service.

code of conduct - report abuse