When building a REST-API, that is secured with tokens (JWT or something),
Should the token be included in the body or in the headers?

  • 6
    "Authorisation" header:

    Authorization: Bearer AAAAAAAAAA...
  • 1
    headers. See @Sbiewald 's comment
  • 1
    Or in the case of websockets, a query parameter
  • 3
    @dan-pud no no no. No. No.

    Query params are logged. Headers aren't.
    In case of websockets use login/passcode headers (STOMP) or build your own auth solution exchanging secrets in the payload.

    Do NOT pass your auth info in the first HTTP header (i.e. method_path_httpVersion)
Add Comment