Hack Proof your API Calls with JWT Implementation

Written by Nishikant Wagh

Business Analyst


With most of the users accessing systems via mobile phones (applications) and web applications these days, developers need a secure way to authenticate what is appropriate for the platforms. To solve this challenge, we choose JSON Web Token (JWT) when working on commercetools applications.

JWT is an open standard (RFC 7519) for securely transmitting information between parties as JSON objects. It is compact, readable, and digitally signed using a private/public key pair by the Identity Provider (IdP). So, the integrity and authenticity of the token can be verified by other parties involved.

Business Needs

  • Authentication: When users successfully log in using their credentials, an ID token will be returned. According to the OpenID Connect (OIDC) specs, an ID token is always a JWT.
  • Authorization: Once a user successfully logs in, an application may request to access routes, services, or resources (e.g., APIs) on behalf of that user. To do so, in every request, it must pass an Access Token, which may be in the form of a JWT. Single Sign-On (SSO) widely uses JWT because of the small overhead of the format and its ability to be easily used across different domains.
  • Information Exchange: JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be sure that the senders are authentic. Additionally, the structure of a JWT allows you to verify that the content hasn't been tampered with.


At Royal Cyber, as an alternative to OAuth2 authentication, commercetools supports user authentication using JWT. We recommend this approach when a system outside of commercetools handles user authentication, and there is a trusted relationship between that system and commercetools.

The JWT contains details about the users who are making an API request. The token is signed using a private key that only the Authorization server has and will be verified upon the subsequent reception of requests.

The JWT can be passed to the API in the authentication header, just like the QAuth access token.


How is Our Accelerator Better Than Traditional Development?

Using JWT Accelerator Traditional Development
Integration Time 1 to 2 Days 8 to 10 Days
Resources/Expertise Developer with the knowledge to call APIs Need a programming expert to code and implement the feature
Customization Features can be added or removed on client request Fully customizable but needs extra efforts
Security Highly secured as it comes with data encryption, no extra security is needed More layers can be added as per requirement
Testing Efforts Only integration testing is needed, and so, it saves more than 70% time and efforts More time and effort are needed as unit testing and integration testing are being done
Reusability of Code Can be reused as needed It works only for the scenario for which it is programmed



Enterprises can leverage tokens depending on the nature of the requirement and their individual business needs. JWT can be the right option in most scenarios if implemented correctly and securely by following the proper security measures. Contact us to know how JWT can benefit your business.

Leave a Reply