Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Use JWT access tokens

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2023-05-11

Context and Problem Statement#

The we need to decide the format of access tokens.

Considered Options#

  • Opaque access tokens
  • Use JWT access tokens

Decision Outcome#

Chosen option: Use JWT access tokens

  • We already use JWTs in our own session access tokens
  • Seems to be the industry standard
  • Enables offline verification (but online/calling the core is still an option)

Pros and Cons of the Options#

Opaque access tokens#

  • Can be simpler
  • Cannot accept out-of-date tokens
  • Validation always has to call the core
  • Use JWT access tokens#

  • We already use JWTs in our own session access tokens
  • Enables offline verification (but online/calling the core is still an option)
  • Not strictly required, it could be an opaque string