Secure Authentication, Standardized Tokens
Understand token types, security patterns, and implementation best practices for modern authentication systems.
1. Token Types & Formats
JSON Web Token (JWT)
Standardized format for securely transmitting claims between parties. Use HMAC or RSA for signing.
Opaque Tokens
Random string that references server-side session state. No embedded payload information.
Refresh Tokens
Long-lived token for acquiring new access tokens. Requires secure storage and revocation mechanisms.
2. Security Best Practices
Token Expiration
{
"access_token": "A1B2C3D4E5F6",
"expires_in": 3600,
"token_type": "Bearer"
}
Scope-Based Tokens
{
"token": "X1Y2Z3A4B5C6",
"scopes": ["read:user", "write:files"],
"iss": "api.tokenservice.com"
}
3. Implementation Examples
Client authentication with bearer tokens:
fetch('https://api.example.com/data', {
method: 'GET',
headers: {
Authorization: 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
}
});
Token Exchange
{
"grant_type": "client_credentials",
"client_id": "abc123",
"client_secret": "xyz456"
}
"grant_type": "client_credentials",
"client_id": "abc123",
"client_secret": "xyz456"
}
Revocation Request
POST /revoke
Content-Type: application/json
{
"token": "XYZ123ABC",
"reason": "compromised"
}
Content-Type: application/json
{
"token": "XYZ123ABC",
"reason": "compromised"
}
4. Token Lifecycle Flow
Flow Overview
🔐 Client → 🔄 Auth Server → 🟦 Resource Server
Security Layers
Client authentication (RSA)
Token encryption (AES-256)
JTI claim verification