Tags - jwt

Dispelling Token Auth myths

Recently a friend commented on how Django might do more to support SPA applications, notably by having built-in support for authentication using JWTs.

This is not a new question, and recently I've been discussing with someone on IRC about JWT support in Django that was not tied to Django REST Framework.

I have frequently helped people on IRC having issues supporting token based auth in their APIs. But all too often they can't explain why they're using token auth or what problems it solve for them, just that they read somewhere it was needed. (Or worse, their manager demanded it without justification.)

Using Django's session auth with your SPA

I keep hearing people saying they use Token auth because they think Django's default session-based auth won't work with their Vue/React/whatever Single Page Application (SPA).

This has always baffled me, beyond assuming people are cargo culting something.

Also I've recently had interactions with someone I deeply respect, who also seemed to feel Django's docs on handling authentication with a SPA were lacking.

Tokens ain't Tokens

After writing my recent rant about token authentication, I realised there was more to say on the subject.

Not all tokens are created equal, so I feel it's important for people to understand the differences.

Here's a quick summary of some of the common token types, and their relative strengths and weaknesses.