I'm currently making an API and wanted to know if the API user has to send the token every time they make a request. I'm using Flask_JWT_Extended to handle authentication with the API. The token gets send in the header.
Asked
Active
Viewed 914 times
2 Answers
2
Yes, that's one of the consequences of the REST "stateless" constraint.
each request from client to server must contain all of the information necessary to understand the request -- Fielding 2000
VoiceOfUnreason
- 52,766
- 5
- 49
- 91
0
When you use JWT as authentication and authorization, yes - your consumer needs to send the token with every request to prove that he is authenticated.
The idea is:
- authenticate against a login service
- obtain a token
- use this token against multiple services which do not need to store/share a session
You can implement a session even with JWT and require your user to send a session cookie or similar - but doing so, you have the problem that you need to share the server-side session among different services, where JWT is a way to get rid of it.
Of course, the JWT token itself is larger in size than a simple cookie in many cases, but that should not be such a big deal nowadays.
Mandraenke
- 3,086
- 1
- 13
- 26