Overview
This article details how to securely pass a JSON Web Token (JWT) in the URL query parameters of a GET request.
Applies To
- JSON Web Token (JWT)
- GET request
Solution
It is generally not recommended to send JSON Web Tokens (JWTs) via URL query parameters due to several security concerns:
- Logged URLs can expose Tokens if these logs become compromised. This includes logs from an application’s web server, browser add-ons, or service providers with URL access. Any service logging URLs then becomes responsible for the security of the application’s Tokens.
- End users can easily access Tokens. This access means tokens might be shared accidentally by users (for instance, through copying and pasting) or exploited in social engineering attacks, placing the responsibility for token security on end users.
- The length of JWTs can exceed the maximum URL length supported by most browsers.
The recommended method for transmitting JWT bearer tokens is to use an Authorization Header:
Authorization: Bearer <token>
The HTTP Authorization Header, a component of the HTTP protocol, enables the sending of credentials to a server for request authentication. It typically uses the following format:
Authorization: <type> <credentials>
In this format, <type> specifies the authorization scheme (for example, Basic, Bearer, Digest), and <credentials> represents the data required by the server for identity verification, such as a username and password combination, a token, or a hash.
NOTE: A JWT provides a standardized method for sending information between parties. While sending a JWT via a URL can be done safely in specific scenarios (for example, with single-use tokens), Auth0 does not recommend this practice for general use within its context.