Best HTTP Authorization header type for JWT

by

The best HTTP header for your client to send an access token (JWT or any other token) is the Authorization header with the Bearer authentication scheme.

This scheme is described by the RFC6750.

Example:

GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIXVCJ9TJV...r7E20RMHrHDcEfxjoYZgeFONFh7HgQ

If you need stronger security protection, you may also consider the following IETF draft: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-pop-architecture. This draft seems to be a good alternative to the (abandoned?) https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-http-mac.

Note that even if this RFC and the above specifications are related to the OAuth2 Framework protocol, they can be used in any other contexts that require a token exchange between a client and a server.

Unlike the custom JWT scheme you mention in your question, the Bearer one is registered at the IANA.

Concerning the Basic and Digest authentication schemes, they are dedicated to authentication using a username and a secret (see RFC7616 and RFC7617) so not applicable in that context.

More Related Contents:

  1. 403 Forbidden vs 401 Unauthorized HTTP responses
  2. How can I view HTTP headers in Google Chrome?
  3. What is http multipart request?
  4. What’s the “Content-Length” field in HTTP header?
  5. What character encoding should I use for a HTTP header?
  6. Axios get access to response header fields
  7. What exactly does the Access-Control-Allow-Credentials header do?
  8. Are Duplicate HTTP Response Headers acceptable?
  9. Operating System from User-Agent HTTP Header [closed]
  10. Can I rely on Referer HTTP header?
  11. JMeter Alter HTTP Headers During Test
  12. Is this statement correct? HTTP GET method always has no message body
  13. what’s the difference between Expires and Cache-Control headers?
  14. What are Content-Language and Accept-Language?
  15. Does the order of headers in an HTTP response ever matter?
  16. “CAUTION: provisional headers are shown” in Chrome debugger
  17. What security risks exist when setting Access-Control-Allow-Origin to accept all domains?
  18. Change user-agent for Selenium web-driver
  19. Ideal HTTP cache control headers for different types of resources
  20. Send Post request along with HttpHeaders on Android
  21. How can I get all the request headers in Django?
  22. What are the main differences between JWT and OAuth authentication?
  23. Add custom header in HttpWebRequest
  24. How to add cross domain support to WCF service
  25. how to change the headers for angularjs $http.jsonp
  26. How to use the CSV MIME-type?
  27. Verifying Auth0 JWT throws invalid algorigthm
  28. Allow All Content Security Policy?
  29. Best practices for server-side handling of JWT tokens [closed]
  30. Differentiating Between an AJAX Call / Browser Request

Leave a Comment