Search code examples
authenticationjwthttp-headersauthorizationbearer-token

x-auth-token vs x-access-token vs Authorization in JWT


I have seen different solutions when building JWT-based authentication systems between react and node. There are many examples, and many of them use different headers.

What is the difference between headers

  • Authorization
  • x-auth-token
  • x-access-token

and when should they be used? For example, in this answer is explanation that Authorization would be the one to be used. However, as stated in another answer here which is linking to here it states that "The Authorization header is usually, but not always, sent after the user agent first attempts to request a protected resource without credentials."

Which leads to conclusion that when making the request for some protected page behind login, one should not use Authorization header at once, only after it has first been rejected.

Thus, what is the "correct" way of doing the checks, and with which protocol? For example, should one start with x-auth-token in header when logging in with client -> server, and to requests after that use x-access-token, and if failed then use Authorization token?

I know, typically only one of them is used, and in many cases it seems that Authorization is the correct way, adding that already in first attempt not only after the first one has failed. And I can make the application work regardless.

But out or curiosity and in sake of correct coding, what is the difference with those, is there more to use, and what is "the right way" to do the autehtication process?


Solution

  • I believe that this and this other answer might give you a nudge in the right direction:

    Authorization is the primary header used by clients to authenticate against peers in HTTP as foreseen in RFC 7235.

    [...]

    Please note that with X-Auth-Token being an unregistered header, it is subject to no formal specification and its presence and content is always tied to a respective application. No general assumptions can be made on it.

    And in the other answer:

    The best HTTP header for your client to send an access token (JWT or any other token) is the Authorization header with the Bearer authentication scheme.

    Hence, I believe that the "international convention" (if I may) appears to be to use the Authorization header, as the x-access-token is not standard and unregistered, so I'm guessing it's better for code readability to use an already known standard.

    Furthermore, even the team behind JWT recommends using the Authorization: Bearer <token> scheme:

    Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema.

    However, I understand your confusion: several tutorials around the internet seem to be using the x-access-token to send JWT tokens.

    EDIT I think you might find it useful to read the relevant MDN Docs on HTTP Authentication - Authentication Schemes.