Comment by Xingheng Wang on "What are the best practices when using JWT for sessions?" | Hashnode

Popular posts

CommentWhat are the best practices when using JWT for sessions?

Xingheng Wang

Co-founder Moesif.com (API analytics). Previous Microsoft & Zynga. CS from MIT.

few things on best practice. :

First, JWT is not a place to store data like profile image (I assume it is the url to the image), first name and last name should not be in the token. It will make the token very bloated with that much data. Think about what does it mean to have a claim. It is what permission the user have services to. So user have a profile/edit permission. You would think in terms of resources that user have permission to. An example:

{
  sub: "userid",
  permission: {
     profile: "read:write",
     resource1: "read",
     resource2: "write",
     service1: "read"
  }
}

The JWT token should always be short lived, so make sure exp is always set, or else you can't really revoke them.
The claim should be self evident, ie. whole point of the JWT is so that each service don't have to check a centralized place like redis.