Conversation
Pulled [a link from one of comments](shieldfy#6 (comment)) from the original issue (shieldfy#6). You don't need JWT if you are just authenticating users - just use TLS. If you want some other thing from JWT (asymmetric encryption, tamper protection, etc), use [PASETO](https://github.com/paragonie/paseto).
Make alternative suggestions more concise
Maikuolan
left a comment
Maikuolan
left a comment
There was a problem hiding this comment.
There's a typo in there (asymetric -> asymmetric) which can just as easily be fixed either before or after merging, so no big deal, but generally, LGTM. 👍
I'm aware I'm submitting this review less than an hour after the pull request was created, so not much time yet for others to be able to comment or review. Accordingly, though approving now, I'll wait a few hours before merging anything, to give others a chance to comment or review according their own viewpoints.
README.md
Outdated
| ## See also: | ||
|
|
||
| - [yosriady/api-development-tools](https://github.com/yosriady/api-development-tools) - A collection of useful resources for building RESTful HTTP+JSON APIs. | ||
| - You don't need JWT, just use a randomly generated API key. If you need asymetric encryption or tamper prevention [here are some alternatives to JWT](https://kevin.burke.dev/kevin/things-to-use-instead-of-jwt/) |
There was a problem hiding this comment.
Small typo (asymetric -> asymmetric).
|
I think the JWT recommendations that were there are good, but should be presented in the form of "Don't use JWTs because X, Y, Z, and instead prefer A,B or C. If are stuck with JWTs you do you should..." Also, you likely want to snip out that
|
|
Good points there. I agree, @guest20. |
|
Thanks for the reviews! Removed the line you suggested @guest20 and fixed asymmetric spelling 🙂 |
3 participants
You don't need JWT if you are just authenticating users - just use a bearer token with TLS. Put it in the authorization header or query string.
There are a bunch of people asking in the original issue (#6) "but what should I use instead of JWT?"
The answer is - just a token. If you're using HTTPS, it's secure.
@rdegges wrote a comment that has some additional information but says the important part clearly:
I included a link from another of the comments from the original issue with some additional discussion of alternatives.