How to use JSON Web Token
Rafael, Wednesday, January 6, 2016

When you use Jexia or any other advanced Cloud Hosting environment for taking care of your application back-end you will use JWT tokens. JWT tokens are different than cookies. JWT stands for JSON Web Token (JWT). JWT’s are designed as a method for transferring security claims based between parties. Jexia’s RESTful APIs are stateless. This means that each request from a client should include all the information needed to process the request. So a request should include also authentication information. Since we care a lot about your APP security we use JWT tokens on top of your API-key. The use of JWT tokens has many advantages over a using only a single API key.

For example:
[list list_type=”2″ animation=”” actions=”icon-ok-2^icon-ok-2^icon-ok-2^icon-ok-2″ colors=”^^^” list_item_content=”API keys are just random strings, while JWTs contain information and metadata that can describe user identity, authorization data and the validity of the token within a time frame or domain.^JWT data can be inspected.^JWTs have expiration controls.^JWT’s can be used across multiple languages and are quickly and easily interchangeable.” sc_id=”sc1452110473224″]
[title type=”h5″ font_size=”default” font_weight=”400″ align=”left” color=”” bottom_indent=”” use_general_color=”0″ use_border=”0″ animation=”” sc_id=”sc1452155748413″]How do JSON Web Tokens work?[/title]

To access our data in Jexia we need to include an access token in the header of each HTTPS request we send. The Jexia back end allows us to generate an API-key and secret that is needed to retrieve an access token. Secrets belonging to an API key are created automatic. Without a valid secret requesting a valid access token is not possible.

[title type=”h5″ font_size=”default” font_weight=”600″ align=”left” color=”” bottom_indent=”” use_general_color=”0″ use_border=”0″ animation=”” sc_id=”sc1452155768913″]Getting the access token[/title]

To get an access token we send a POST request to our Jexia DataApp, specifying a Key and Secret
(created on the Jexia backend).

In JavaScript using jQuery this would look like:

    url: 'https://<JEXIA-APP-ID>',
    type: 'post',
    data: {
    key: '<JEXIA-KEY>',
    secret: '<JEXIA-SECRET>'
 done(function(data) {

When you create an application to can be used read all data of your dataApp all you want is that the access token granted is enabled to read the data and not to change. Since you can create many different keys to be used for your dataApp which can have different authorization schemes (e.g. read or read-write) you will create an API key for reading.

When your App the successfully authenticates using the provided API key and secret, a JSON Web Token will be returned that allows reading data for the time the JWT token is valid. By default all Jexia JWT tokens expire after two hours and must be refreshed before the expiring time if needed.

Whenever the user of your App wants to access a data resource for reading, it should send the JWT, typically in the Authorization header using the Bearer schema. Therefore the content of the header should look like the following.

   url: 'https://<JEXIA-APP-ID><JEXIA-DATASET>',
   type: 'get',
   headers: {
      'Authorization': 'Bearer <JEXIA-ACCESS-TOKEN>' 
done(function(data) {

When you have your access token, you can get data out of our DataSet by sending a GET request:

The JWT method is by design a stateless authentication mechanism as the state is never saved in theserver memory.
The server’s protected routes will check for a valid JWT in the Authorization header.

If your JWT token is valid reading of data on your dataset is allowed. As JWTs are self-contained, all the necessary information is there, reducing the need of going back and forward to the Jexia back-end.

[title type=”h4″ font_size=”default” font_weight=”400″ align=”left” color=”” bottom_indent=”” use_general_color=”0″ use_border=”0″ animation=”” sc_id=”sc1452110606005″]
The following diagram shows this process:[/title]

[image action=”none” image_action_link=”#” target=”_self” link_title=”” align=”aligncenter” image_size_alias=”” image_alt=”JSON-web-token-image” margin_top=”” margin_right=”” margin_bottom=”” margin_left=”” animation=”” sc_id=”sc1452155245045″][/image]
If you create an application front-end you must supply an API-key with a valid secret in order to use the Jexia Back-end for reading,writing or updating data. Depending on the choices you make for authorization for data access your API-key has limited or full access rights for reading or writing.

At Jexia we are dedicated to host all your data for your Apps fast, secure and reliable. We think Apps can be faster and better when a working back end for your App is already there. Test drive Jexia now, and let us know what your experience is.

Tags: , ,

Categorised in:

This post was written by Rafael


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.