Authentication & Authorization Notes
JWT (JSON Web Tokens)
- A compact, URL-safe means of representing claims to be transferred between two parties.
- Consists of three parts separated by dots:
Header.Payload.Signature
- Header: Algorithm & token type (e.g. HS256, JWT).
- Payload: Claims (e.g. user ID, expiration, roles).
- Signature: Verifies that the sender of the JWT is who it says it is and ensures the message wasn't changed along the way.
Session/JWT flow
- Client logs in with credentials.
- Server verifies and issues an Access Token (short-lived, e.g. 15m) and a Refresh Token (long-lived, e.g. 7 days).
- Client stores Refresh Token in a secure,
HttpOnly cookie and Access Token in memory or storage.
- Client includes Access Token in the Authorization header (
Bearer <token>) for protected requests.
- When Access Token expires, client calls
/refresh with the Refresh Token to get a new Access Token.