Skip to main content

important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Use JWT access tokens

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:: proposed
Deciders:: rishabhpoddar, porcellus
Proposed by:: porcellus
Created:: 2023-05-11

Context and Problem Statement#

The we need to decide the format of access tokens.

Considered Options#

Opaque access tokens
Use JWT access tokens

Decision Outcome#

Chosen option: Use JWT access tokens

We already use JWTs in our own session access tokens
Seems to be the industry standard
Enables offline verification (but online/calling the core is still an option)

Pros and Cons of the Options#

Opaque access tokens#

Can be simpler

Cannot accept out-of-date tokens

Validation always has to call the core

Use JWT access tokens#

We already use JWTs in our own session access tokens

Enables offline verification (but online/calling the core is still an option)

Not strictly required, it could be an opaque string

Looking for older versions of the documentation?

Context and Problem Statement
Considered Options
Decision Outcome
Pros and Cons of the Options
- Opaque access tokens
- Use JWT access tokens