Authentication
How to use JWT to authenticate with our RESTful API
Last updated
Was this helpful?
How to use JWT to authenticate with our RESTful API
Last updated
Was this helpful?
To authenticate a request, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to our back-end RESTful API.
Bloqifi RESTful API validates a JWT in a performant way by using the JWT issuer's .
Although this example is somewhat basic, it should provide a clear idea of our logic with JWT. As stated above, any interaction with our secure RESTful API would start with a login request, which would look something like the following:
POST https://api.bloqifi.com/v0/token
email*
String
[a-z0-9._%+-]+@[a-z0-9.-]+.[a-z]{2,4}$
password*
String
(?=.\d)(?=.[a-z])(?=.*[A-Z]).{6,}
The payload is as follows:
Assuming the credentials are valid, the system would return a new JSON Web Token. (Access & Refresh) Let’s go over the details of this token. Particularly, let’s think about the information inside our payload. Some interesting options could be:
Email: Contains the email of the logged in user, which is especially useful since we might want to show that in our UI
Exp: We’ll only allow our new token to be used for the next fifteen minutes, which is about how long users should need it on a daily basis, before requesting a new access token based on their refresh token.
Status: Contains the status of the logged in user, which is useful since we might need to verify this account.
To keep things simple, we’ll use an HS256 algorithm for encoding the data.
Let’s consider what the different sections of our token should look like:
Header: with the type (JWT) and type of coding.
Payload: It is where the user’s information will be found that will allow the server to discern whether or not it can access the requested resource.
Any further requests sent by the client app will contain this same access token. In turn, the token will be validated by the server, and the result compared with the signature portion of the token.
In a typical JWT request, you’ll pass the token as part of the authorization header on the client-side after the client logged in, like Authorization: Bearer.
Doing so would prevent, for example, someone from meddling with the message’s payload and changing the role to Admin, allowing a fake or even a valid non-admin user, to execute a privileged action like issuing a payment to create a bloq.
There are many types of token, although in authentication with JWT the most typical are access token and refresh token.
Access token: It contains the information our server needs to know so the user / device can access the resource their are requesting or not.
Refresh token: The refresh token is used to generate a new access token.
The refresh token requires greater security when it is stored than the access token, as if it were stolen by third parties, they could use it to obtain new access tokens and access the protected resources of the application.
PUT https://api.bloqifi.com/v0/token
Content-Type*
String
application/json
token*
String
${refreshToken}
Should you need to revoke a refresh token for any reason, this endpoints makes it possible.
DELETE https://api.bloqifi.com/v0/token
Content-Type*
String
application/json
Authorization*
String
Bearer ${accessToken}
token*
String
${refreshToken}
Enabled user generated refresh token with predefined expiry
PATCH https://api.bloqifi.com/v0/token
Content-Type*
String
application/json
Authorization*
String
Bearer ${accessToken}
exp*
Number
Number of seconds
token*
String
${refreshToken}