TrevorHinesley
commented
7 years ago For those who see this issue, got some good advice here: http://stackoverflow.com/questions/41859770/how-to-differentiate-between-json-web-tokens-from-api-partner-or-tokens-from-my/41861030?noredirect=1#comment70918581_41861030
Thanks a ton for this awesome gem. I'm currently using it for the front-end of my application to authenticate with my API and it works great. I hate to open an issue for this as it's more of a question, but I thought you might could give some pointers.
According to https://jwt.io, JSON Web Tokens should be passed via the following header:
Authorization Bearer <token>I'd like to use JSON Web Tokens for my client's API keys as well, but I'd need to be able to decode the token to see which client it is for, obviously.
If different secret keys are used for each client to encode the JSON Web Tokens, how am I supposed to know which secret key to use to decode the token? How do people normally handle this when using JSON Web Tokens for APIs?
I thought about using a single secret key for all requests, but that means if that key is ever compromised and I have to update it--ANYONE using my API has to come get a new web token.