Best practices for processing user data using JWT

Question

Best practices for processing user data using JWT

I am implementing a stateless API through Json Web Tokens (JWT). Right now I'm wondering what is the best way to bring user data to the forefront. These are the fields that I need to access on the interface.username, email, role, full_name, description, profile_img, facebook_id, twitter_id, custom_setting_1, custom_setting_2, custom_setting_3, custom_setting_4

There are two options that I see:

When creating the JWT, add user data to the JWT payload. And then decrypt it at the front end. Although I worry if I add all the data, the payload will be quite large.
I can only add immutable fields to the JWT, such as username, role. After creating and returning the JWT to the interface module, I send another request for user data from the API.

Perhaps I also missed something. So I wonder what the best approach is handling user data using JWT.

+4

rest api jwt json-web-token

Websirnik Jun 21 '16 at 12:32

source share

1 answer

Cassio Mazzochi Molin · Answer 1 · 2016-06-21T12:49:34+0000

Once you use JWT for authentication purposes (I understand that your server generates an authentication token, which the client must send to the server in each request), you should not include all these details in the token.

Your second approach makes sense:

I can only add to JWT immutable fields, such as username, role. After creating and returning the JWT to the interface module, I send another request for user data from the API.

Keep your JWT lean and run another request to have user data.

, URL- , :

Best practices for processing user data using JWT

More articles: