The Gold Standard of API Authentication

Security is the foundation of every Nodezee deployment. For stateless distributed systems, JSON Web Tokens (JWT) combined with the OAuth2 framework is our mandatory protocol. However, a "simple" JWT implementation is often a security risk; it requires professional-grade hardening.

1. The Dual-Token Strategy

We never rely on a single long-lived access token. Our architecture uses short-lived Access Tokens (valid for 15 minutes) and long-lived Refresh Tokens (stored in an HttpOnly, Secure cookie). This minimizes the "window of opportunity" if an access token is intercepted while allowing the user to stay logged in seamlessly.

2. Token Revocation and Blacklisting

Since JWTs are stateless, they cannot be easily revoked. To solve this, we maintain a "Blacklist" in Redis. When a user logs out or a security breach is detected, the token ID is added to Redis with a TTL matching the token's expiry. Every request check includes a sub-millisecond Redis lookup to ensure the token is still valid.

3. Cryptographic Integrity

We utilize asymmetric encryption (RS256) rather than symmetric (HS256). This means our Identity Provider signs the token with a Private Key, but our various microservices only need a Public Key to verify it. This architecture ensures that even if a microservice is compromised, the attacker cannot forge new tokens. This level of defensive engineering is standard across our 30+ person team.