Ben Dechrai is a technologist with a staunch focus on security and privacy. This started at the age of 11, when he wrote software to stop his parents from breaking the family PC, and resulted in his working as a developer advocate for Auth0. He enjoys helping developers find the joy of experimentation, from ethical skulduggery to subversive automation, and can be found on Twitter and Instagram at @bendechrai.
You've selected your framework, set up continuous deployment, and are ready to start developing your app. But before you can begin to address the problem your software is trying to solve, there are still myriad aspects that aren't unique to your product. The most common, and likely the first your users will notice, is identity. You soon learn it's more than just a login form, and subject-matter knowledge will be tested. Luckily, there are hoards of passionate security folk worldwide conjuring up ways to simplify this for all developers. One such open standard is the JSON Web Token, or JWT, which is best known for encapsulating a user's identity or representing a digital permission slip for accessing external systems. If you've not seen one before, you'll learn that they're quite simple under the hood but dealing with them yourself can be a minefield. You'll see how JWTs can be mishandled, how they can most safely be consumed, and the possibilities for extending them to provide Role-Based Access Control (RBAC) capabilities. Finally, we'll look at ways that JWTs can be used as glue, for rapidly standing up proofs of concepts, or even building production-ready eCommerce sites without the requirement for a custom database!