ghost
commented
7 years ago For the server, the tokens aren't stored anywhere. Checking to see if a provided token is valid is not accomplished by checking some store of previously created tokens, but rather:
- decrypting them using the private RSA key set up in the server config
- verifying that the token has not passed its expiration date
- verifying the user contained in the decrypted token exists
- verifying the user has not reset their password or had their permissions changed since the token was created
The above steps ensure that a token is valid and the appropriate permissions are given for the request associated with that token. One consideration is that this design does not allow for the revocation of tokens; if that is required then some kind of token store would need to be created.
If the question is where should the token be stored on the client side, the answer is wherever that is reasonably secure. For example in the browser you could store them in a secure cookie or local storage, or on an iOS app you could store them in the keychain.
where tokens are stored?