Engineering

⌘K
  1. Home
  2. Docs
  3. Engineering
  4. Lovia System Architecture
  5. JWT

JWT

We use JSON Web Tokens (JWT) for authentication of a user/session to multiple backend services, and also to authenticate between backend services.

The recommended signing for JWT is to use public key (verify using JWKS) instead of shared secret. So the only place of private key is the FusionAuth instance. However, if using public key is not possible, shared secret can be used.

To learn more about JWT signing algorithms, see Scott Brady’s Which Signing Algorithms?. For Lovia, we use ES256 as that is supported by default by FusionAuth and is secure, or when shared secret is used, HS256.

Creating A JWT Token Manually

Sometimes you want to create a JWT token manually/programmatically.

yarn global add --force jsonwebtoken
const jwt = require('jsonwebtoken');
let duration = 25 * 365.25 * 24 * 60 * 60; // in seconds, this one is 25 years
let token;
// default signing algorithm is HMAC SHA256
token = jwt.sign(
  {
    iss: 'lovia.life',
    sub: 'USER_ID',
    exp: Math.floor(Date.now() / 1000) + duration,
    roles: ['user']
  },
  'SECRET_HERE');

How can we help?