Appearance
JWT Authentication
MyWarranties uses JSON Web Tokens (JWT) for API authentication.
How It Works
- User requests a verification code via email
- User verifies the code and receives a JWT token
- Token is included in subsequent API requests
- Token expires after a configured duration
Token Structure
The JWT contains the following claims:
json
{
"iat": 1704067200,
"exp": 1704153600,
"roles": ["ROLE_USER"],
"username": "user@example.com"
}| Claim | Description |
|---|---|
iat | Issued at timestamp |
exp | Expiration timestamp |
roles | User's roles array |
username | User's email address |
Using Tokens
Include the token in the Authorization header:
http
GET /api/products
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...Token Lifecycle
Obtaining a Token
http
POST /api/send-code
Content-Type: application/json
{
"email": "user@example.com"
}http
POST /api/verify-code
Content-Type: application/json
{
"email": "user@example.com",
"code": "123456"
}Response:
json
{
"token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"user": {
"id": 1,
"email": "user@example.com",
"name": "John Doe",
"roles": ["ROLE_USER"]
}
}Token Expiration
By default, tokens expire after 24 hours. When a token expires:
- API returns
401 Unauthorized - Client must request a new verification code
- User verifies and receives a new token
Error Responses
Missing Token
json
{
"code": 401,
"message": "JWT Token not found"
}Expired Token
json
{
"code": 401,
"message": "Expired JWT Token"
}Invalid Token
json
{
"code": 401,
"message": "Invalid JWT Token"
}Security Considerations
Token Storage
- Store tokens securely (Keychain on iOS, EncryptedSharedPreferences on Android)
- Never store tokens in localStorage for web applications
- Clear tokens on logout
Token Refresh
The system uses passwordless authentication, so there's no refresh token mechanism. When the token expires, users simply request a new verification code.
Configuration
JWT configuration is set via environment variables:
env
# JWT secret key (generate a secure random string)
JWT_SECRET_KEY=%kernel.project_dir%/config/jwt/private.pem
JWT_PUBLIC_KEY=%kernel.project_dir%/config/jwt/public.pem
JWT_PASSPHRASE=your-passphrase
# Token TTL in seconds (default: 86400 = 24 hours)
JWT_TTL=86400Generating Keys
bash
# Generate private key
openssl genpkey -out config/jwt/private.pem -aes256 -algorithm rsa -pkeyopt rsa_keygen_bits:4096
# Generate public key
openssl pkey -in config/jwt/private.pem -out config/jwt/public.pem -pubout