- Encryption, making them susceptible to interception during communication.
- Secure Token Management, If a token is stolen or leaked, an attacker could gain unauthorized access until the token is invalidated.
- Decentralization, gaining access to token credentials stored at server leads to unauthorized access to entire system
- Token Juggling Attacks, attackers might attempt to manipulate or manipulate JWTs, especially if they have access to the token content and know the signing algorithm.
- Token Size, JWTs can become quite large if they carry a lot of information. This can increase the size of requests and responses, which can impact network performance.
- Limited Context, JWTs lack some context that sessions can provide. For example, session IDs can be tied to specific IP addresses or user agents, helping to prevent session hijacking.
- Sensitive Data, Although JWTs are often signed to ensure their integrity, they can still be decoded by anyone with access to the token.
In mathematics, the dot product is a fundamental operation that takes two vectors and produces a scalar by calculating the sum of the products of their corresponding components. Similarly, the term "DOT" reflects its role in connecting various services like Storage, Trust, Compute and Identity etc within the context of API interactions.
- Type is used to determine the context of the token as well as request. Type takes values such as AUTH, SESSION, CHALLENGE and MPC.
- AUTH, can be used in the context if the request is just intended for authentication and GET method.
- SESSION, can be used in the context to maintain the session between client and server.
- CHALLENGE, can be used in the context to do state changes about the user in the system, Ideally POST, PUT and DELETE methods uses this type.
- MPC, can be used in the context where token is the part of multi-party compute which further needs aggregations and derivations with other MPC type tokens to access specific resource. Signature is a web3 digest, which is generated by signing the message using the privateKey, which can be verified aganist the publicKey in a decentralized manner.
Payload is a JSON object, which changes according to the type. Type=AUTH, needs message to be under payload, Type=SESSION, needs `expiresAt` to be under the payload, where the Type=CHALLENGE does not need any payload to be send along with token since request body acts as payload during authentication.
DOT Authentication Token Introduction Components Authorization Headers