#Is it safe to use JWT for backend API authentication?

Hello,

I've being thinking whether or not using JWT as the authentication method for a standalone backend would be a good idea, There is JWE but then I'd have to create my own system which I'm alright with but I'd rather see my options first...

I planned to give users a token that contains their userid and raw password but thinking more on it I can't imagen a JWT token containg a raw password being a good idea ? What are your thoughts ?

To me it sounds fine because lets be honest in the end of the day a API token encrypted or not is still something you should not share, I guess I just wanna see if this sorta method is a good idea and in some way industry standard.

@grand urchin - Yeah, so putting a password in a JWT is not a good idea at all. Question that pops in my mind is why wouild you think that should even be necessary?

Hi 👋
JWT shouldn't contain sensitive information. Storing plaintext password in it is not a good idea.
There's no reason to do that either, since you only need the password once, during the authentication step (login).
When your login endpoint validates the user's credentials (username & password), it issues and signs a JWT. The payload of the JWT should be the user's id, possibly their role, or other claims. Just id/username/email is usually enough for most systems.
For the ongoing communication, the client uses only the JWT. Backend should then read the JWT (usually from Authorization header), parse it, and validate its signature. If the signature is correct, backend can trust that the payload comes from authoritative source and was not tampered with.

I figured putting password in token was a bad idea also there Is no login route, the aim is to just have a api token they can use, kinda like discords api token

Trying to think of ways of authentication with api tokens, jwt has being my first idea bit that one evidently seems to be a bad one, not sure what I could try next... I haven't seen any other resources shown off by nextjs... there is jwe but I have yet to look into that

I have tried doing a bit of research on YouTube and Google but the only things I found relating to nestjs is jwt which obviously isn't what I'm looking for, couldn't find any examples on github that do what I'm trying to do either

NestJS is just node.js with few features to help you build backends faster. Find any node.js/express resource that does what you're trying to do and you can do that with Nest just fine.

Do you have any resources I can base my research on ? I could just create my own system but I'd rather base what I do off something that many people already use ?

Kinda like the jwt or jwe standard but more in line with what I'm doing

I personally don't know of a package specifically made for API keys in Nest, but this article explains how to make them and how you should store them and even offer them. https://www.freecodecamp.org/news/best-practices-for-building-api-keys-97c26eabfea9/

There is also a strategy in Passport for API keys. You could use that for guarding purposes, which are in line with the other strategies or rather usages of Passport with Nest.

http://www.passportjs.org/packages/passport-headerapikey/

And an article explaining how to do it. https://medium.com/@Dee_Mayoor/apikey-authentication-for-nestjs-using-passport-js-6db467fc31f7

Wasn't expecting a package from this but this Is exactly the kind of resource I was looking for, thanks a lot mate !

I can't read the pages right now but they look promising and similar to what I was originally thinking but with good information backing them. Thanks again !

Also realize, the creation, storage and validation of the token is the simple part. You will also need a process for granting permissions, if you are expecting to block access to certain parts of your app depending on the needs of the client. This in turn is OAuth again and using granting scopes. Like giving your Discord bot certain permissions to do things with your Discord server.

The creating token and what not is the part I'm a little concern about simply because I don't know much but with the help of the resources you provided, I should manage, Famous last words 😄

With regards to permissions, I was about to say I'm going with a role based system because its simpler but then I thought being able to remove permissions from certain people would be fun, thankfully I finally figured out how to access that sorta information from the passport auth guard so after I implement auth, permissions will be the next thing I try and do 🙂