Securing Your API: How to Handle Stolen Tokens Effectively

Have you ever wondered what would happen if your token was stolen by someone?

To authenticate api request from valid users, we mostly use JWT (Json Web Token). A JWT consist of three parts, Header (Algorithm & token type), Payload (data) and Verify signature (which validates the header & payload).

Once you log into the website, token will be generated. The first parameter will be your preferred data and the second is salt (used for token verification later).

Once user logged In and token generated save this into users table along with user details (generateAuthToken()).

![A screen shot of a computer screen

Description automatically generated](https://lh7-us.googleusercontent.com/docsz/AD_4nXezxHA9BAL3mCgk0qxSFEb89NQlIB-TQ_MuQ97YI4mEL06CoeJExptuSURVbIKbMYQempfwSBRImRmjge_6romxbWzq5Jt8ahLXLA9uEpVZOLfEOVKkQVCcdHVb0fmVzqyDfnJVEhRN4WxaBgVKhou9R5DhkQR3NTWxmHSqRpKLoSA6IjJbrg?key=paKJmpL4MLWKlu79DSwDeg align="left")

Now to authenticate every user request (except signIn & signUp) we will use this token.

Now comes the crucial step that prevents unauthenticated users from making API calls. We won't just validate the token; we'll also verify the user. We will ensure that the token received matches the user's token that we already stored in users table.

Now, when you logout, make sure to remove token from users table for logged In user.

By following these best practices, you can safeguard your API from un-authorized access and ensure a secure user experience.