Backend/API Integration
An API or service protected by Authgear
Last updated
Was this helpful?
An API or service protected by Authgear
Last updated
Was this helpful?
If your API or backend service needs authentication, you can validate the session in your application server code. Each request from the client to your application server should contain an access token or a cookie. Your backend server should validate them for each HTTP request.
There are different approaches to verify the requests based on whether you validate JWT (JSON Web Tokens) in your server, or forward authentication to Authgear Resolver Endpoint.
Reliability
Medium JWT only updates when expire. That means before the token expiry, your application may see the user is valid even they has been disabled
High Update near real-time, based on your reserve proxy cache setting
Integration difficulties
Easy You only need to add code in your application to validate and decode JWT
Medium Need to setup extra reverse proxy to resolve authentication information
Transportation of session
Access Token in Authorization header
Session ID in Cookies or
Access Token in Authorization header
Authgear uses JSON Web Token (JWT) for secure data transmission, authentication, and authorization.
Authgear returns the access token and refresh token to the client app after authentication. Your client app should call the backend with the access token in the Authorization header. The tokens should be parsed and validated in the backend server to ensure they are not compromised and the signature is authentic.
Request example:
Read more on Validate JWT in your application server guide.
Forward Authentication is a process where an intermediate reverse proxy or API Gateway is responsible for authenticating a request before it reaches the intended application or service. This can add an extra layer of security and centralize the authentication logic. An intermediate service forwards each incoming HTTP request to the Authgear Resolver Endpoint to verify the access token or cookie in the HTTP header.
Read more on Forward Authentication to Authgear Resolver Endpoint guide.
Instead of validating the access token in the backend, a reverse proxy forwards the request to an Authgear Resolver Endpoint. This endpoint resolves and verifies the access token in the Authorization Header of the request.
In this approach, instead of validating the token in authorization header, Authgear returns Set-Cookie headers and sets cookies to the browser. The cookies are HTTP only and share under the same root domains. So you will need to setup the custom domain for Authgear, such as identity.yourdomain.com.
If you have multiple applications under yourdomain.com, all applications would share the same session cookie automatically. After that, you can verify the cookies using the Resolver Endpoint.
Request example: