Change Log | ||
---|---|---|
| WayGee |
|
Related Documents | |
---|---|
Confluence Link |
|
Tokens
There are three types of bearer tokens used by the API: Access, ID, and Refresh. By their nature, a bearer token is similar to cash money. Once a bad actor gets ahold of a bearer token, it cannot be clawed back and can be used until they expire.
It is the responsibility of the client app to store and protect the tokens.
Token Types
Tokens will grow in size over time as additional data are added to the system. Additional content and encryption contribute to the growth and variable size of tokens.
Token Type | Usage | Expiration | Token Size (Estimated) |
---|---|---|---|
Access Token | A JWT token used to access protected resources. | 1 hr | 2kb - 4kb |
Refresh Token | An encrypted bearer token used to get another access token to extend the user session without interruption. (Not a JWT) | 30 days | 500b - 2kb |
ID Token | A JWT token containing data claims (fields) such as UAID. | No expiration | 500b - 1Kb |
Best Practices
There is much debate surrounding OAuth 2.0 and storage of tokens. The size of the tokens and usage give clues to how a client app should handle the usage of the tokens.
The following is the recommended approach:
Store refresh token in a cookie. Make sure to set HTTP-Only=true to prevent misuse.
Store access token and id token using one of the following methods where design allows:
Serverside (best option)
Local Storage (2nd best option)
Session Storage (be careful because these are cleared when tabs close)
Examining Contents Of JWT Tokens
JWT tokens are encrypted JSON objects comprised of a series of fields called “claims”. In order to see the contents of a JWT, use the decoder at https://jwt.io.