Securing Your API with JSON Web Tokens (JWTs)¶

Using Thriftly Developer’s built-in support for JSON Web Tokens (JWTs), you can easily configure your Thriftly APIs to include sophisticated API authorization, securing your API with minimal effort.

If you configure your Thriftly APIs to create and require JWTs, users will be required to log in to any application that uses your API. When they do, the Thriftly Server will pass that user a unique token that contains several claims (pieces of unique identifying information). The user’s token is then automatically embedded in the header of their subsequent API calls, letting the Thriftly Server know that the user is (or isn’t) authorized to call the functions they’re attempting to access.

Due to their unique, stateless nature, JWTs are the current standard in API authorization. Because JWTs are embedded in the header of your users’ API calls, your server does not have to maintain session data or route calls through a separate authorization service in order to authorize users. This reduces your server traffic while still ensuring that your API (and your data) is secured.

If you’d like to learn more about JWTs before integrating JWT-based authorization into your own APIs, we recommend you read:

• JWT.io’s introduction to JSON Web Tokens.

• Our own overview on how JWTs work, which includes some Thriftly-specific information.

• This additional JWT overview published on Medium.

After you’ve learned all you want to know about JWTs, you can start implementing JWT authorization within your Thriftly APIs by:

• First, Updating Your APIs to Generate and Require JWTs.

• Then, Finalizing and Testing Your JWT Configuration.