is a method of authentication that relies on the use of tokens to grant access to resources.
- Token information: username, roles, permissions, expiration date, metadata
- Can be signed with a secret key or using a public-private key pair (authenticity).
- The user starts to authenticate and receives a token from the server for future access.
- The user (device) only needs to authenticate once, and then he presents the token.
- Supports OAuth2, JWS, OpenID, and others
- Pros: stateless, the server doesn’t store user information in the session (scalability).
- Pros: secure, the token is encrypted and signed.
- Pros: If the token is stolen it has a limited lifespan.
- Pros: It is not dependent on specific devices, platforms, or domains.
- Cons: deciding about token storage, expiration time, and size.