Protect your API
Last updated
Last updated
Auth issues a standard format authorization token for each authorized API request. The token is encrypted and signed as a token.
An encoded token is constructed with three parts:
JOSE Header: Declares the code type and encoding algorithm
JWS Payload: Includes all the token's claims
JWS Signature: Signature signed with
A standard schema of auth issued JWS Payload: (claims may vary, based on your custom OIDC config)
Key
Description
jti
unique JWT ID
sub
subject, usually user-id
iat
timestamp token issues at
exp
timestamp token expires at
client_id
client id
iss
token issuer identity
aud
audience of the token
The token's issuer is https://<your-auth-domain> (issued by your Auth server).
The token is within its expiration time.
There are various open-source libraries and packages that can help you to validate and decode a JWT token easily. You may pick one and integrate with your backend application based on the language and framework you are using. Please check some of the examples we have:
Reference
Auth uses the code-based OAuth 2.0 Authorization Protocol to make your API request safer. If you are interested in the strategy behind it, refer to OAuth 2.0's for more details.