How work with JWT


I want to implement json:api in my company but we have some doubts working with authentication tokens.

We want to implement the JWT standard and we don’t know how to start with authentication tokens.

We are thinking in an url like this:
POST /security-token (we need to pass the username and password, but how?)
This request must create a JsonWebToken and return it to the client.

Which info we need to provide to the request to be compatible with json:api?
We don’t want the token to be accessible by a GET because the token is not persisted anywhere. How we can deal with it?


The way I do it in my project is very simple: I don’t use JSON API for that task. The specification on that website is for a resource based API. You create, edit, and delete resources.

So the client (the Ember app) talks with to retrieve the token. (How the API is implemented is up to you)

Once the client has the token, it uses it to talk to the other API at which follows the JSON API format.


We use Auth0 for authentication. Like maark said, its handled outside of the JSON API spec.