Token-based authentication is one way to confirm a user’s or device’s identity. It relies on checking whether the entity possesses a previously issued token.
What is token-based authentication?
Token-based authentication is the process of verifying identity by checking a token. In access management, servers use token authentication to check the identity of a user, an API, a computer, or another server.
A token is a symbolic item issued by a trusted source — think of how law enforcement agents carry a badge issued by their agency that legitimizes their authority. Tokens can be physical (like a USB hard key) or digital (a computer-generated message or digital signature).
Token-based authentication can refer to a couple of different processes:
- Verifying identity via a physical token. This is a widely used authentication factor for logging in: users are asked to present their token when signing in to an account or a device. (Authentication factors are described in more depth in What is authentication?)
- Reconfirming identity via a web token. Web tokens are purely digital. A web token is generated by a server and sent to a client. The token is attached to each client request so that the server knows the client’s identity and what data the client can access.
How does authentication with a physical token work?
Authenticating via physical token usually takes place during the user login process. The user must prove that they possess an item no one else has. They can prove this by entering a code displayed by the item, connecting the item to a device via USB, connecting the item via Bluetooth, or several other methods. Similar to the way entering a password proves that the user possesses a piece of knowledge that no one else has, using a token proves that a user possesses an item only that the user has.
Two kinds of tokens are used for this type of authentication: soft tokens and hard tokens.
- Soft tokens involve entering a secret code or message sent to a device to prove possession of the device. Often, this takes the form of a code sent to a smartphone via text message.
- Hard tokens are hardware items the user connects directly to a computer or mobile device to log in.
How does authentication via web token work?
A web token is digital, not a physical item. It is a message sent from a server to a client and stored temporarily by the client. The client includes a token copy in subsequent requests sent to the server to confirm the client’s authentication status.
While physical token authentication verifies identity during the login process, web tokens are issued as the result of a successful login. They keep the logged-in session active.
However, using web tokens for user sessions is not always ideal. Many developers are proponents of using cookies instead. Web tokens may be better used for API endpoint authentication or to validate a connection between servers instead of between server and client.
What is JSON Web Token (JWT)?
In web development, “web tokens” almost always refer to JSON Web Tokens. JSON Web Token (JWT) is a standard for creating digitally signed web tokens that contain JavaScript Object Notation (JSON) data. A server creates a token that proves the client’s identity and sends it to the client. JWT uses digital signatures to prove the token is legitimate.
JWTs include three components:
- Header: The header provides information about the JWT — what kind of token the JWT is and which method was used to sign it digitally.
- Payload: Any JSON data can go here. JWT payloads for authentication include claims about the user’s identity in the payload. They can also include information about the user’s, server’s, or API endpoint’s permissions.
- Digital signature: The signature uses cryptography to sign the header and payload with a key to ensure the data it contains is legitimate. Think of the digital signature as a tamper-proof seal on a medicine canister.
Token-based (JWT) authentication vs. cookie-based authentication
JWTs are sometimes used to authenticate users once they log in to a web application. However, cookies can be used for this purpose too.
A cookie is a small data file a server sends to a client. When a user signs in to a web application, the server generates a cookie and sends it to the client device (typically a user’s computer or smartphone). The client device stores the cookie in the browser’s cache and includes a copy of the cookie in future requests to the server, similar to how JWTs can be used. Once the user signs out, the browser deletes the cookie.
Cookies have a much smaller file size than JWTs because JWTs include headers and digital signatures in addition to the payload. By contrast, the cookie only contains the payload. This makes them far more efficient in terms of web performance and bandwidth.
- Web performance: A cookie loads faster because it contains less information — think of how a photo downloads faster than a video.
- Bandwidth: Because cookies are smaller, they reduce the total amount of data that needs to pass over networks between the client and server. This may result in cost savings compared to JWTs for the web application operator.
JWTs are not optimized for performance because they include digital signatures, which ensure their contents have not been tampered with. But if a web application uses HTTPS (as it should), a cookie should be tamper-proof anyway. HTTPS will encrypt and sign the cookie along with all the other HTTP data being exchanged between the client and server, and attackers should not be able to forge or intercept it in transit unless they carry out an on-path attack.
JWTs are better suited for APIs and server-to-server connections. Such uses do not need to scale up as much: a web application may get a million users but will not have a million API connections. This reduces the potential impact on performance and bandwidth. However, other authentication methods, like mutual TLS, are sometimes more efficient for APIs — learn more about mutual TLS.
