Backend Integration

Decide how your backend application server authenticate the incoming HTTP requests.

For Mobile App or Single Page Web App or Website, each request from the client to your application server should contain an access token or a cookie. Your backend server should validate them for each HTTP request.

There are different approaches to verify the requests based on whether you validate JWT (JSON Web Tokens) in your server, or forward authentication to Authgear Resolver Endpoint.

Validate JWT in your server

Authgear uses JSON Web Token (JWT) for secure data transmission, authentication, and authorization. Tokens should be parsed and validated in regular web, native, and single-page applications to make sure the token isn’t compromised and the signature is authentic.

Read more on Validate JWT in your application server guide.

JWT Token in Authorization Header

This approach is only available for Token-based authentication and involves passing the JWT token within the HTTP Authorization header. This approach is widely used in OAuth 2.0 and OIDC implementations, providing a standardized way to authenticate users.

JWT Token in Cookies

JWT tokens can be stored in HTTP cookies and sent with each request. It is suitable for Cookie-based authentication. Storing JWTs in cookies as a way to persist the user's session across requests. The server then uses JWKS to validate the token. This approach is useful in scenarios where you want to maintain user sessions across different services in a more traditional web application setup.

For Cookie-based authentication, JWT in cookies is not supported yet. You can track the issue here.

Forward Authentication to Authgear Resolver Endpoint

Forward Authentication is a process where an intermediate reverse proxy or API Gateway is responsible for authenticating a request before it reaches the intended application or service. This can add an extra layer of security and centralize the authentication logic. An intermediate service forwards each incoming HTTP request to the Authgear Resolver Endpoint to verify the access token or cookie in the HTTP header.

Read more on Forward Authentication to Authgear Resolver Endpoint guide.

Forward Authorization Header

Before processing the request, your server or a reverse proxy forwards the request to an Authgear Resolver Endpoint. This endpoint resolves and verifies the authentication information (such as an Access Token) from the request Authorization Header.

In this pattern, Access Token (JWT) is stored in a cookie, and your server or a reverse proxy may contact the Authgear Resolver Endpoint to obtain more information or validate certain aspects of the request.

Comparison

Validate JSON Web Token (JWT) in your application server

Forward Authentication to Authgear Resolver Endpoint

Reliability

Medium JWT only updates when expire. That means before the token expiry, your application may see the user is valid even they has been disabled

High Update near real-time, based on your reserve proxy cache setting

Integration difficulties

Easy You only need to add code in your application to validate and decode JWT

Medium Need to setup extra reverse proxy to resolve authentication information

Setup guides

Validate JSON Web Token (JWT) in your application server

Forward authentication with Authgear Resolver Endpoint

Last updated

#311: Include export users api in api reference doc page

Change request updated