Open in app

Sign in

Write

Sign in

A Practical Guide to Securing Your API with JWT and OAuth2

Joël-Steve N.
4 min read1 day ago

--

In today’s digital landscape, APIs are the lifeblood of modern applications — and with great power comes great responsibility. Securing your API isn’t just about locking the front door; it’s about building a robust security framework that keeps data safe while ensuring a smooth user experience. In this guide, we’ll explore how to secure your API using JSON Web Tokens (JWT) and OAuth2, complete with real-world examples and security best practices. Let’s dive in — because no one likes a leaky API!

1. Understanding JWT: The Digital ID Badge

JSON Web Tokens (JWT) are compact, URL-safe tokens used to represent claims between two parties. Think of them as digital ID badges that carry verified information about a user.

JWT Structure

A JWT consists of three parts:

  • Header: Specifies the algorithm (e.g., HS256) and token type.
  • Payload: Contains the claims (user information, roles, expiration time, etc.).
  • Signature: Ensures the token hasn’t been tampered with, created by signing the header and payload with a secret key.

Example of a JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

2. OAuth2: The Gatekeeper of Modern APIs

OAuth2 is an industry-standard protocol for authorization. Rather than handling credentials directly, OAuth2 delegates the authentication process to an external provider, ensuring a more secure and flexible system.

Key Concepts of OAuth2

  • Resource Owner: The user who authorizes access.
  • Client: The application requesting access.
  • Authorization Server: Issues access tokens after authenticating the resource owner.
  • Resource Server: Hosts the protected API and accepts access tokens.

The common OAuth2 flow (like the Password or Authorization Code grant) ultimately issues a JWT as the access token, marrying the strengths of both technologies.

3. Implementing JWT and OAuth2 in Your API

Let’s get hands-on with a real-world example. We’ll use Python’s FastAPI framework to demonstrate a simple API with secure endpoints.

Step 1: Set Up Your Environment

First, create a virtual environment and install FastAPI along with Uvicorn:

mkdir secure-api
cd secure-api
python -m venv venv
# Activate your virtual environment:
# On macOS/Linux: source venv/bin/activate
# On Windows: venv\Scripts\activate
pip install fastapi uvicorn python-jose[cryptography] passlib[bcrypt]

Step 2: Create Your API Code

Create a file named main.py and add the following code:

from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
from datetime import datetime, timedelta
from jose import jwt, JWTError
from passlib.context import CryptContext

# Configuration settings
SECRET_KEY = "your-very-secret-key"  # Replace with a secure key
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 30

# Set up password hashing
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

# OAuth2 scheme for token handling
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

app = FastAPI()

# Dummy user database
fake_users_db = {
    "johndoe": {
        "username": "johndoe",
        "full_name": "John Doe",
        "hashed_password": pwd_context.hash("secret"),
        "disabled": False,
    }
}

# Utility functions for authentication
def verify_password(plain_password, hashed_password):
    return pwd_context.verify(plain_password, hashed_password)

def get_user(db, username: str):
    if username in db:
        return db[username]
    return None

def authenticate_user(db, username: str, password: str):
    user = get_user(db, username)
    if not user or not verify_password(password, user["hashed_password"]):
        return None
    return user

def create_access_token(data: dict, expires_delta: timedelta = None):
    to_encode = data.copy()
    expire = datetime.utcnow() + (expires_delta or timedelta(minutes=15))
    to_encode.update({"exp": expire})
    return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)

# Token endpoint
@app.post("/token")
async def login_for_access_token(form_data: OAuth2PasswordRequestForm = Depends()):
    user = authenticate_user(fake_users_db, form_data.username, form_data.password)
    if not user:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Incorrect username or password",
            headers={"WWW-Authenticate": "Bearer"},
        )
    access_token = create_access_token(data={"sub": user["username"]},
                                         expires_delta=timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES))
    return {"access_token": access_token, "token_type": "bearer"}

# Dependency to extract and verify current user
async def get_current_user(token: str = Depends(oauth2_scheme)):
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        username: str = payload.get("sub")
        if username is None:
            raise credentials_exception
    except JWTError:
        raise credentials_exception
    user = get_user(fake_users_db, username)
    if user is None:
        raise credentials_exception
    return user

# A protected endpoint example
@app.get("/users/me")
async def read_users_me(current_user: dict = Depends(get_current_user)):
    return current_user

Step 3: Running and Testing Your API

Run your API using Uvicorn:

uvicorn main:app --reload

Now, use your favorite API client (like Postman or your browser) to:

  • Request a Token: Post your username and password to /token.
  • Access Protected Route: Use the returned token to access /users/me with an Authorization header: Bearer <your_token>.

4. Security Best Practices

While our example above demonstrates the core functionality, securing your API in production involves additional best practices:

  • Always Use HTTPS: Encrypt data in transit by serving your API over HTTPS.
  • Secure Your Secret Keys: Store secret keys in environment variables or secure vaults, not in your source code.
  • Token Expiration and Refresh: Keep token lifetimes short and implement refresh tokens to minimize risk if a token is compromised.
  • Input Validation: Validate all inputs to avoid injection attacks.
  • Audit and Monitoring: Regularly audit your logs and set up monitoring to detect suspicious activities.
  • Implement RBAC: Consider integrating Role-Based Access Control (RBAC) for granular authorization.
  • Regular Dependency Updates: Keep your libraries up-to-date to mitigate known vulnerabilities.

5. Conclusion

By leveraging JWT and OAuth2, you can secure your API with robust, industry-standard practices. In our practical example, we used FastAPI to implement secure endpoints, ensuring that only authenticated users can access protected resources. Remember, the key to a secure API isn’t just in the technology — it’s in the continuous commitment to best practices and vigilant monitoring.

Secure your API today and build a foundation that inspires trust and confidence in your users!

If you found this guide helpful and want to dive deeper into API security, be sure to subscribe for more practical tips, tutorials, and real-world examples. Happy coding, and may your tokens always be valid!

Jwt
Oauth2
Api Security
Fastapi
Python

--

--

Joël-Steve N.
Joël-Steve N.

Written by Joël-Steve N.

471 Followers
15 Following

Senior Back-End Developer (Python, JavaScript, Java) | Community Manager & Tech Leader

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams