What is token-based authentication?

Token-based authentication is one way to confirm a user's or device's identity. It relies on checking to see if the entity in question possesses a previously issued token.

Learning Objectives

After reading this article you will be able to:

  • Define token-based authentication
  • Describe the two types of token-based authentication
  • Compare token authentication with cookie-based authentication for web apps

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is token-based authentication?

Token-based authentication is the process of verifying identity by checking a token. In access management, servers use token authentication to check the identity of a user, an API, a computer, or another server.

A token is a symbolic item issued by a trusted source — think of how law enforcement agents carry a badge issued by their agency that legitimizes their authority. Tokens can be either physical (like a USB hard key) or digital (a computer-generated message or digital signature).

Token-based authentication can refer to a couple of different processes:

  1. Verifying identity via a physical token. This is a widely used authentication factor for logging in: users are asked to present their token when signing in to an account or a device. (Authentication factors are described in more depth in What is authentication?)
  2. Reconfirming identity via a web token. Web tokens are purely digital. A web token is generated by a server and sent to a client. The token is attached to each client request so that the server knows the identity of the client and knows what data the client can access. This type of token-based authentication contrasts with cookie-based authentication, which is a similar way of accomplishing the same thing — learn more below.

How does authentication with a physical token work?

Authenticating via physical token usually takes place during the user login process. The user has to prove that they possess an item no one else has. They can prove this by entering a code displayed by the item, connecting the item to a device via USB, connecting the item via Bluetooth, or several other methods. Similar to the way entering a password proves that the user possesses a piece of knowledge that no one else has, using a token proves that a user possesses an item only that user has.

There are two kinds of tokens used for this type of authentication: soft tokens and hard tokens.

  • Soft tokens involve entering a secret code or message sent to a device to prove possession of the device. Often this takes the form of a code sent to a smartphone via text message.
  • Hard tokens are hardware items that the user connects directly to a computer or mobile device to log in.

How does authentication via web token work?

A web token is digital, not a physical item. It is a message sent from a server to a client and stored temporarily by the client. The client includes a copy of the token in subsequent requests sent to the server to confirm the client's authentication status.

While physical token authentication verifies identity during the login process, web tokens are issued as the result of a successful login. They keep the logged-in session active.

However, using web tokens for user sessions is not always ideal. Many developers are proponents of using cookies instead. Web tokens may be better used for API endpoint authentication or to validate a connection between servers, instead of between server and client.

What is JSON Web Token (JWT)?

In web development, "web tokens" almost always refers to JSON Web Tokens. JSON Web Token (JWT) is a standard for creating digitally signed web tokens that contain JavaScript Object Notation (JSON) data. A server creates a token that proves the client's identity and sends it to the client. JWT uses digital signatures to prove the token is legitimate.

JWTs include three components:

  • Header: The header provides information about the JWT — what kind of token the JWT is and which method was used to digitally sign it.
  • Payload: Any JSON data can go here. JWT payloads for authentication include claims about the user's identity in the payload. They can also include information about the user's, server's, or API endpoint's permissions.
  • Digital signature: The signature uses cryptography to sign the header and payload with a key in order to ensure the data they contain is legitimate. Think of the digital signature as a tamper-proof seal on a canister of medicine.

Token-based (JWT) authentication vs. cookie-based authentication

JWTs are sometimes used to keep users authenticated once they log in to a web application. However, cookies can be used for this purpose too.

A cookie is a small data file that a server sends to a client. When a user signs in to a web application, the server generates a cookie and sends it to the client device (typically a user's computer or smartphone). The client device stores the cookie in the browser's cache and includes a copy of the cookie in future requests to the server, similar to how JWTs can be used. Once the user signs out, the browser deletes the cookie.

Cookies have a much smaller file size compared to JWTs, because JWTs include headers and digital signatures in addition to the payload. By contrast, the cookie only contains the payload. This makes them far more efficient in terms of web performance and bandwidth.

  • Web performance: A cookie loads more quickly because it contains less information — think of how a photo downloads more quickly than a video.
  • Bandwidth: Because cookies are smaller, they cut down on the total amount of data that needs to pass over networks between the client and server. This may result in cost savings compared to JWTs for the web application operator.

JWTs are not optimized for performance because they include digital signatures, which ensure their contents have not been tampered with. But if a web application is using HTTPS (as it should), a cookie should be tamper-proof anyway. HTTPS will encrypt and sign the cookie along with all the other HTTP data being exchanged between client and server, and attackers should not be able to forge it or intercept it in transit, unless they are carrying out an on-path attack.

JWTs are better suited for APIs and server-to-server connections. Such uses do not need to scale up quite as much: a web application may get a million users, but it is not going to have a million API connections. This reduces the potential impact on performance and bandwidth. However, other authentication methods, like mutual TLS, are sometimes more efficient for APIs — learn more about mutual TLS.