How to pass JSON web token (JWT) to a get request

6
votes

I'm using the PyJWT library (import jwt) library to generate JSON web tokens for authentication.

The original design had us passing the token in through the URL like http://example.net?token=eyKDFkdfkdndfndfk...

However, with this solution it appears like anybody who views the token in the URL could then use this token to access the site.

Is the proper solution to pass the JWT through the HTTP header and through SSL? It looks like some solutions pass the JWT through "Authorization Bearer" such as in this thread: Best HTTP Authorization header type for JWT

1
pythonjwt
Yes, yes that would be it.deceze♦
What is the correct way to give clients a token? If I send a client a token, and they expose the token by accident, would that present a vulnerability?William Ross
That depends on a lot of things and is hardly generally answerable.deceze♦
@William Ross: wrt. the question in you comment: OAuth 2.0 is designed as a protocol that hands down tokens issued to clients via a secure and standardized mechanism.Hans Z.

1 Answers

1
votes

You can pass jwt token in auth header as depicted here. get request with jwt