JSON Web Token(JWT)
Quickly learn about JWT and how to use it on All That Node!
Last updated
Was this helpful?
Quickly learn about JWT and how to use it on All That Node!
Last updated
Was this helpful?
JSON Web Token (JWT) is an open, industry standard method for representing claims securely between two parties. You can enable JWT in All That Node and send requests with JWT to ensure only authorized requests are available. — an excerpt from
JSON Web Tokens (JWTs) provide a secure method of exchanging information between different entities. By employing techniques such as signing with public/private key pairs, JWTs offer assurance regarding the authenticity of the senders. Furthermore, the inclusion of the header and payload in the signature calculation allows for the verification of data integrity, ensuring that the content has not been altered.
It may look complicated, but it's not. We will guide you to successful JWT setting.
Generate key pair that conforms the RS256 or ES256 algorithm . You can use some tools such as openSSL.
Example to create the private / public key pair
If you register at least one public key, a request without a JWT fails.
Go to your "Security" menu on your dashboard.
Click the "Add a Public Key" button.
(Optional) Enter a name.
Upload the public key that you generated above to “JWT Public Key” section.
Click "Add" to register your public key.
Check the "Id" of your public key is added to the list in the security settings. It is used as the "kid" (Key ID) for generating the JWT.
Those 3 parts make up the JWT and are separated by ".”. Thus, JWT looks like:
alg
“RS256”
The signing algorithm being used.
typ
“JWT"
The type of the token you are going to generate.
kid
"54f26cb4-15a9-11ee-a1d8-0a58538e0d0c”
The public key "Id" from All That Node Dashboard.
exp
1719511840
(Optional) Expiration timestamp for the JWT. (Unix timestamp)
nbf
1687834195
(Optional) The JWT is valid only after the current time. (Unix timestamp)
aud
To create the signature part of the JWT, you have to encode the header and payload according to the JWT specification and then sign them.
Almost finished! When you send a request, add generated JWT to the head of request, or the request fails.f
Please put the JWT in Authorization
HTTP header. You can use curl
with -H "Authorization: Bearer <JWT>"
Q: I want to force the issued JWT to expire.
A: If you suspect that the issued JWT might have been compromised and you wish to prevent its usage, you can remove the corresponding public key from the security settings within your project.
Q: Which cipher does All That Node support?
Q: Can I add multiple JWTs to a project?
A: You can activate up to 25 JWTs on a project at once.
Q: My requests return 403 errors.
A: The 403 error indicates that the server understood the request, but it refuses to authorize it. There are a few potential reasons for this error:
Invalid JWT format: Ensure that the JWT included in the request header is correctly formatted according to the expected specifications. Verify that the header, payload, and signature are properly constructed.
Expired JWT: Check the expiration time (exp claim) of the JWT. If the JWT has exceeded its expiration time, it will no longer be considered valid for authentication.
Security settings: If you have enabled additional security measures in your project, such as IP blocking or other access restrictions, make sure your requests comply with these settings. If your IP address has been blocked or restricted, you may encounter a 403 error.
You have to set header, payload, signature to generate a JWT. Visit for more examples!
"”
(Optional) If this audience option exists, the token is valid only when the value ends with " ", case-insensitive
💡 you can generate JWT easily on
A: For now, All That Node supports RSA 256(RS256) and ECDSA 256(ES256), as specified in .