pythonjwtbackendfastapi

Refresh tokens and access tokens using JWT


I'm currently working on a backend in FastAPI and I have a question related to authorization and JWT. I'm wondering if it's advisable to use different secret keys for access tokens and refresh tokens.

My concern is that anyone might be able to modify the payload in the token, potentially using a refresh token as an access token. What are your thoughts on this?


Solution

  • If you use JWT in any framework you must know that it ensures data(payload) integrity. So anyone is able to modify the token payload as is signed with your private key (secret key).

    Also anyone can create a valid token unless they have your secret key.

    https://medium.com/@extio/understanding-json-web-tokens-jwt-a-secure-approach-to-web-authentication-f551e8d66deb#:~:text=Advantages%20of%20JWT&text=Security%3A%20JWTs%20are%20digitally%20signed,cookies%20or%20server%2Dside%20sessions.