What are JWTs?
JSON Web Tokens are an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. In Definable, JWTs are used to:- Authenticate users after login
- Maintain session state without server-side storage
- Pass user identity information securely between services
JWT Structure
JWTs consist of three parts separated by dots:Header
Contains the token type and signing algorithm:Payload
Contains the claims or user data:Signature
Ensures the token hasnβt been tampered with:Implementation in Definable
Token Generation
When a user logs in successfully, the system generates a JWT:- User ID (
id
) - Expiration time (
exp
) - No sensitive information like passwords
Token Validation
Every protected endpoint uses theJWTBearer
dependency for validation:
- Extracts the token from the Authorization header
- Verifies the token signature using the secret key
- Checks if the token has expired
- Returns the decoded payload containing user information
Using JWT in Requests
Client applications must include the JWT in the Authorization header:JWT and RBAC Integration
JWTs work in conjunction with the Role-Based Access Control (RBAC) system:- The JWT establishes user identity
- The RBAC middleware uses this identity to determine:
- The userβs role in the requested organization
- Permissions associated with that role
- Whether the user can perform the requested action
JWT Configuration
Definableβs JWT implementation can be configured through environment variables:WebSocket Authentication
For WebSocket connections, JWTs are passed as query parameters:Security Considerations
Definableβs JWT implementation follows these security best practices:- Secret Key Protection: The JWT secret is securely stored and never exposed
- Short Expiration Times: Tokens expire quickly to limit the damage of token theft
- No Sensitive Data: Tokens never contain sensitive user information
- HTTPS Only: JWTs are only transmitted over encrypted connections
- Signature Validation: All tokens are cryptographically verified
Troubleshooting
Invalid Token Error
Invalid Token Error
This usually means:
- The token has expired
- The token was signed with a different secret
- The token has been tampered with
Missing Authentication
Missing Authentication
Check that:
- The Authorization header is included
- The header uses the format
Bearer <token>
- There are no extra spaces or characters
Token Expired
Token Expired
JWTs have a limited lifetime. When expired:
- The client needs to request a new token
- If using refresh tokens, use the refresh flow to get a new access token
Next Steps
- Authentication Overview: Learn about the complete authentication system
- Invitation Flow: How users join organizations via invitations
- Role-Based Access Control: Understanding permission management