15

I'm implementing stateless REST API via Json Web Tokens (JWT). At the moment, I'm wondering what is the best approach to pass the user data to the front end. Those are the fields I would need to access on the front-end username, email, role, full_name, description, profile_img, facebook_id, twitter_id, custom_setting_1, custom_setting_2, custom_setting_3, custom_setting_4

There are 2 options that I see:

  1. During the JWT creation add the user data to the JWT payload. And then decode it on the front end. Though I'm worried if I add all the data that the payload will get quite large.
  2. I can add only unchangeable fields like username, role to JWT. After the JWT is created and returned to the front-end, I send another request for the user data from the API.

I might be missing something here as well. So wondering what is the best approach handling the user data with JWT.

Improve this question
3
  • I'm trying to figure out why you need JWT for that. A plain JSON is not enough? Commented Jun 21, 2016 at 12:40
  • JWT will be used to authenticate API calls. So the question really, should I add the user data in JWT(is there any pros/cons to it), or keep the additional API request to get the user data. Commented Jun 21, 2016 at 12:44
  • Please let me know if my answer was useful for you. Commented Jul 7, 2016 at 15:14

1 Answer 1

Reset to default
3

Once you are using JWT for authentication purposes (I understand your server is generating an authentication token that the client needs to send to the server in every request), there's not point in including all of those details in the token.

Your second approach makes much more sense:

I can add only unchangeable fields like username, role to JWT. After the JWT is created and returned to the front-end, I send another request for the user data from the API.

Keep your JWT lean and perform another request to have the user details.

For more information on how to design the URL to return the authenticated user details, check below:

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

In my case, the server that is generating the token and the server that is receiving the token are two different entities and are.placed in different geographical regions, then how should I add data in the token?

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.