Why you should not use JWT

How do you handle user authentication in your web app or API? When it comes to implementing auth, JSON Web Tokens (JWT for short) are often touted as an industry best practice. On some platforms, and for some frameworks they are the first thing that comes to mind: we've seen many discussions on developer forums (such as /r/node) where the only alternatives suggested were JWT if you're doing it yourself, or using a 3rd-party service such as Auth0.

When we added Node support to API Bakery, we thought long and hard whether to include JWT, because of its popularity. We decided against it. Here's why, and why you should probably not use JWT either.

Most of the client-server communication on the web nowadays is stateless request-response (websockets are super useful, but people are not replacing plain old requests with them). This means that after your user logs in (for example, by providing email and password to your server), you, as a web developer, need to think how the next time that user's request hits your server you'll know it's from the same user.

The first popular mechanism were cookies - arbitrary key-value pairs server sends to the client. Client sends the same cookie key-value pairs back on following requests. Server can then inspect the cookies received and figure out information about the client.

Leave a Comment