JWT (JSON Web Tokens) for API Testing
JSON Web Tokens (JWT) are a popular method for securely transmitting information between parties as a JSON object. JWTs are particularly useful for API authentication and authorization, as they can be easily passed between a client and a server and verified quickly. Here’s an overview and an example to illustrate how JWTs work, especially in the context of API testing.
What is JWT? #
A JWT is a compact, URL-safe token that consists of three parts:
- Header: Contains metadata about the token, typically specifying the type of token (JWT) and the signing algorithm used, such as HMAC SHA256.
- Payload: Contains the claims, which are statements about an entity (typically, the user) and additional data. Claims can be predefined (like iss, exp, sub, etc.) or custom (such as role or username).
- Signature: Used to verify that the token was not altered. The signature is created by taking the encoded header, the encoded payload, a secret key, and the specified algorithm.
The JWT structure is as follows:
HEADER.PAYLOAD.SIGNATURE
Example: JWT in API Testing #
Let’s assume you have an API that requires users to be authenticated to access certain endpoints, like /user/profile. The authentication system uses JWT to issue tokens.
Step 1: User Logs In and Receives a JWT #
A user sends a login request with their credentials:
POST /api/login
Content-Type: application/json
{
"username": "exampleuser",
"password": "password123"
}
If the credentials are valid, the server responds with a JWT:
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJleGFtcGxldXNlciIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNjkxNzMxNjAwLCJleHAiOjE2OTE3MzUyMDB9.ZJqcX-1XlIS4nApXFP1F3qz57MNlpsJ1RyZNLmESKKw"
}This token is a JWT and will be used for subsequent requests to authenticated endpoints.
Step 2: Making an Authenticated Request #
To access the /user/profile endpoint, the client includes the JWT in the Authorization header:
GET /api/user/profile
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJleGFtcGxldXNlciIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNjk1NjMxNjAwLCJleHAiOjE2OTU2MzUyMDB9.ZJqcX-1XlIS4nApXFP1F3qz57MNlpsJ1RyZNLmESKKwThe server receives the request and extracts the token. It then decodes the JWT, verifies the signature, and checks the claims (like expiration time). If the token is valid and not expired, the server processes the request and returns the user profile data.
Step 3: Decoding the JWT (For Testing Purposes) #
During API testing, you might need to decode the JWT to verify its contents. You can use online tools like jwt.io or libraries in various programming languages to decode the token and inspect the header and payload.
For example, decoding the example token might reveal:
Header:
{
"alg": "HS256",
"typ": "JWT"
}
Payload:
{
"sub": "exampleuser",
"role": "user",
"iat": 1695631600,
"exp": 1695635200
}Signature: The signature part of the JWT would be verified using the secret key, ensuring the token hasn’t been tampered with.
Key Points in API Testing with JWT #
- Token Expiry: Ensure that tokens expire as expected and cannot be reused indefinitely.
- Authorization Checks: Test various roles and permissions by modifying the claims in the JWT.
- Tampering: Attempt to tamper with the token to ensure the server correctly identifies and rejects invalid tokens.
- Error Handling: Verify how the API handles expired or invalid tokens.
JWTs are a powerful tool for securing APIs, and understanding how to work with them is essential for effective API testing.
