The Most Important Thing to Know About JWT Tokens

The most important thing to know about JWT tokens when starting out is that you are using them to authenticate the client and not the user.

What I see confuses people the most about JWT tokens, and especially those who are working on multi-tenant type projects or used to role based authentication, is they wonder how to include user permissions in the scopes. Things such as "Is User A allowed to access the data of Company X" or "Is User B an Admin". While it is possible to hack together a solution that might be able to give you those details (Some Identity and Access Management providers do allow you to include user roles in tokens as well as additional information), that is not what JWT tokens (and specifically their scopes) are designed for, nor are JWT tokens meant to be the entirety of your IAM (Identity and Access Management) system.

JWT tokens live in a world where you are no longer in control of the complete eco-system in which your services live and so these services can be called from anywhere, not just your own clients and services. And so what JWT tokens are designed for, is to identify the caller to your API service (E.g. a mobile app that is calling your API) and tell you what the user has allowed that caller to do. They aren't there to tell you what the user is allowed to do on a global scale, but simply what they have allowed the client to do on their behalf. As far as your backend is concerned, it isn't even interacting with the user, it is dealing with another client or service that is performing operations on your behalf.

Once you have verified the caller has been allowed to perform actions on behalf of the user, that is where the usefulness of a bearer token ends, and there are far more secure and efficient ways of then verifying what the user is allowed to do, such as calling the IAM directly from the backend service or by implementing a more complex permissions service.