re: I am a Developer Advocate for Security in Mobile Apps and APIs, Ask Me Anything VIEW POST

re: Thanks for the detailed explanation. Do you think this process is secure enough? Should I go something different for my use case? I would prefe...

An absolute thank you for all those information, I have now more information about differenciation between the what and the who. I was only checking the what until now but cannot for sure ensure who is sending the token. I will have a deep look at your links, I also seen some other folks have more detail explanation and I will take note of those too. Thank you fine sir!

You got it the other way around...

The who represent the user, your JWT token and the what represents the mechanism used to make the request, aka was the request made by your web app without have been tampered, was the request made by Postman or by Curl, etc..

So until now you have been checking the who, aka the JWT token that represents the user authentication,

code of conduct - report abuse