Last Updated: Aug 21, 2024
Overview
This article details how to securely pass a JSON Web Token (JWT) in the URL query parameters of a GET request.
Applies To
- JSON Web Token (JWT)
- GET request
Solution
Is it safe to pass a JWT in the URL query parameters of a GET request?
Generally speaking, Auth0 does not recommend sending JWTs via URL query parameters for the following reasons:
- Logged URLs can leave Tokens exposed if those logs were to become compromised. This could be the logs of a web server for the application, browser add-ons, or service providers that have access to URLs. Any service that is logging URLs is now responsible for the security of the application’s tokens.
- End users have easy access to Tokens. This could mean that the tokens are shared accidentally by an unknowing user (copy/pasting), or gamed in a social engineering attack, putting the security of the tokens in end-users’ hands.
- JWTs could become too long for most browsers. Browsers have limits on the length of URLs, and it’s possible for JWT tokens to be longer than those limits.
The recommended way is to use Authorization Headers for the JWT bearer tokens:
Authorization: Bearer <token>
What is an Authorization Header?
An HTTP Authorization Header is a part of the HTTP Protocol that allows the sending of the credentials to a server to authenticate a request. It is usually formatted as:
Authorization: <type> <credentials>
The indicates the authorization scheme, such as Basic, Bearer, Digest, etc. The is the actual data that the server needs to verify the identity, such as a username and password, a token, a hash, etc.
NOTE: JWT is simply a standardized way of sending information between parties, and it is possible to safely send a JWT via a URL in other scenarios (e.g., single-use tokens), but it is not something recommended in the context of Auth0.