Authority
  • Introduction
  • In Action
  • Performance at Scale
  • Roadmap / Features
  • Getting Started
    • Introduction
    • Installation
    • Configuration Overview
  • Authentication
    • Authentication Guide
    • API Documentation
    • Customizing Authentication
  • Security & Error Handling
    • Security Considerations
    • Error Handling & Troubleshooting
  • Providers
    • Client Providers
    • Owner Providers
  • API Endpoints
    • API Endpoints
  • DEVELOPMENT
    • Requirements
    • Database
    • User Interface
    • Specs
    • Deployment
      • Environment Variables
  • Reference
    • OAuth Terms
    • OAuth 2 Grant Flows
      • Device Flow
      • Authorization Flow
      • Client Credentials Flow
      • Refreshing Access Tokens
      • Access Token Response
      • Json Web Tokens
      • Legacy: Implicit grant
      • Legacy: Password
    • Open ID Connect
      • Configuration
      • Registering Clients
      • User Info
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Reference
  2. OAuth 2 Grant Flows

Json Web Tokens

PreviousAccess Token ResponseNextLegacy: Implicit grant

Last updated 3 years ago

Was this helpful?

Self-Encoded Access Tokens

Self-encoded tokens provide a way to avoid storing tokens in a database by encoding all of the necessary information in the token string itself. The main benefit of this is that API servers are able to verify access tokens without doing a database lookup on every API request, making the API much more easily scalable.

The benefit of OAuth 2.0 Bearer Tokens is that applications don’t need to be aware of how you’ve decided to implement access tokens in your service. This means it’s possible to change your implementation later without affecting clients.

A common technique for this is using the (JWS) standard to handle encoding, decoding and verification of tokens. The (JWT) specification defines some terms you can use in the JWS, as well as defines some timestamp terms to determine whether a token is valid. We’ll use a JWT library in this example, since it provides built-in handling of expiration.

JSON Web Signature
JSON Web Token