2

Sorry for such novice question.

I am fairly new to web security.

Can someone please explain to me, why do we need JWT token authentication for web api (REST) when I could include { username | email } / password for every single API request?

Improve this question

1 Answer 1

Reset to default
6

Mostly, it's a separation of concerns thing. JWTs are a way to authorize a request, whereas username/password is a way to authenticate. The key difference is that authentication is something you should ideally only have to do once, and it should be done by a dedicated endpoint responsible for that. For every other request, you're simply confirming the authorization you received from that initial authentication.

If you were to send username and password with every request, every endpoint then would have to handle authentication logic, which would be a nightmare. Using a JWT, the endpoint can simply verify that it's valid and move on to what it's actually responsible for.

JWTs are just one method of authorization. In a traditional website-style application, this would be handled by a cookie. This then enables the user to login once, and then proceed to browse protected areas of the site without having to login again. The equivalent of what you're suggesting would be essentially like forcing the user to login again everytime they clicked a link, just to view that next page.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hi @[Chris Pratt], Many thanks for the clarification. I am trying to digest what you have suggested. I still do not feel like I have completely understood. What's wrong with using net core Identity (which I believe is happening through the use of cookies) to handle API Authorization? An example of this: pioneercode.com/post/…. What I do not understand also, You mentioned round-trips. But with enterprise level JWT, on each API request, the token is sent to a another endpoint for verification. Which is also a perf cost
HTTP is a stateless protocol. Every request is unique, so if that request needs to access something protected, it must include something that gives it access. In the world of APIs, that's traditionally the Authorization header (where the JWT would go). For a traditional website, that would be a cookie.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.