Anyone here knows JSON web tokens. Please enlighten me.
Here's my understanding:
- Client side will request a token by passing username:password or api key:secret key.
- Server will authenticate it and generate a token that will be sent back to client.
- Client will then request for a specific data by passing that token. e.g. GetUsers
Now here are my problems:
- How can I secure my username:password or api key:secret key in the client side.
- If no solution for problem 1. Then I'm planning to move my keys in the server side. However, I'm still confuse since my keys will not be visible to public but my url in requesting token will be public.
Here's my scenario for problem 2. Setup will be:
- Third party api
- My local server
- Client Side
Scenario will be:
- Client side will request to my local server where my keys are stored. e.g. www.example.com/authenticate
- my local server will request a token to third party api and sent it back to client
My keys are not visible but www.example.com/authenticate is visible to public.
Please help me conclude which one to use and which security should I follow.
