In jwt jwt , they write that user authentication can be implemented even without storing the token in the database. What then is the sequence of actions? Since I have only one algorithm in my head: for example, the user sends a post request in json format for a specific url . And the method of comparison in the database understand whether to give access or not. But this is not true. It is correct to have him access without a password and login only by the hash key. Just for this and come up with jwt . I downloaded the lcobucci/jwt . And with the generated key. And then what? What should the user transfer to me in order to form his separate key? And then let it through him? And to make it safe.

  • The whole point of jwt is that it keeps all the necessary information in it. Immediately I warn you that the jwt token cannot be revoked. Those. It will work until it is rotten. - ArchDemon
  • @ArchDemon I need to upload my information for the same url for each user. How can I understand who should be given access and, accordingly, the token, and who should not be given? - doox911
  • @ArchDemon And I also need to accept this data. - doox911
  • If the user does not have a token, you all check the validity of the user and give him a token. Further, if a token comes to you, then you do not climb into the database and do not check the validity of the user. The presence of the token is already talking about validity. - ArchDemon 3:46 pm
  • @ArchDemon Ok. I understand that for each user I give my unique jwt . Then I do not understand how to understand that this is the right keys? - doox911 7:14 pm

0