Problem statement
Can I securely pass a JWT in the URL query parameters of a GET request?
Solution
Generally speaking, we don’t recommend sending JWTs via URL query parameters.
Why?
- Logged URLs can leave tokens exposed if those logs were to become compromised. This could be the logs of a web server for your application, browser add-ons, or service providers that have access to URLs. Any service that is logging URLs is now responsible for the security of your application’s tokens.
- End users have easy access to tokens. This could mean your tokens are shared accidentally by an unknowing user (copy/pasting), or gamed in a social engineering attack, putting the security of your tokens in the hands of your end-users.
- JWTs could become too long for most browsers. Browsers have limits on the length of URLs, and it’s possible for JWT tokens to be longer than those limits.
What do you recommend?
Use authorization headers for your JWT bearer tokens.
Authorization: Bearer <token>
Note: JWT is simply a standardized way of sending information between parties, and it is possible that you could safely send a JWT via a URL in other scenarios (e.g. single-use tokens), but it is not something we recommend in the context of Auth0.
Sources: Maximum URL Length, JWT in URL, Learn JWTs