# Protect your API ### **Validate the API request's authorization token**[**​**](https://docs.logto.io/docs/recipes/protect-your-api/#validate-the-api-requests-authorization-token) Auth issues a standard [JWT](https://datatracker.ietf.org/doc/html/rfc7519) format authorization token for each authorized API request. The token is encrypted and signed as a [JWS](https://datatracker.ietf.org/doc/html/rfc7515) token. #### **Understanding JWS token**[**​**](https://docs.logto.io/docs/recipes/protect-your-api/#understanding-jws-token) An encoded [JWS](https://datatracker.ietf.org/doc/html/rfc7515) token is constructed with three parts: * JOSE Header: Declares the code type and encoding algorithm * JWS Payload: Includes all the token's claims * JWS Signature: Signature signed with [JWK](https://datatracker.ietf.org/doc/html/rfc7517) A standard schema of auth issued JWS Payload: (claims may vary, based on your custom OIDC config) | **Key** | **Description** | | ---------- | -------------------------- | | jti | unique JWT ID | | sub | subject, usually user-id | | iat | timestamp token issues at | | exp | timestamp token expires at | | client\_id | client id | | iss | token issuer identity | | aud | audience of the token | {% hint style="info" %} INFO For development, to visually inspect a JWT token, you could visit [jwt.io](https://jwt.io/) to decode and check the tokens you received. Be careful with or never use the tokens from a production environment. As this is a third party provided public online service, your token may be exposed. {% endhint %} #### **Validate the authorization token**[**​**](https://docs.logto.io/docs/recipes/protect-your-api/#validate-the-authorization-token) 1. [Validating a JWT.](https://datatracker.ietf.org/doc/html/rfc7519#section-7.2) 2. [Validating the JWS signature.](https://datatracker.ietf.org/doc/html/rfc7515#section-5.2) 3. The token's issuer is https\://\ (issued by your Auth server). 4. The token is within its expiration time. There are various open-source libraries and packages that can help you to validate and decode a JWT token easily. You may pick one and integrate with your backend application based on the language and framework you are using. Please check some of the examples we have: * [Node(Express)](https://docs.logto.io/docs/recipes/protect-your-api/node) * [Spring Boot](https://docs.logto.io/docs/recipes/protect-your-api/spring-boot) * [Python](https://docs.logto.io/docs/recipes/protect-your-api/python) **Reference** Auth uses the code-based OAuth 2.0 Authorization Protocol to make your API request safer. If you are interested in the strategy behind it, refer to OAuth 2.0's [official document](https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.1) for more details.