We have a web service that does not support state (not even session state), so we transfer JWT tokens between the server and the client, which contains the encrypted state of the client.
However, we also want to protect the endpoints of web services using standard server authorization features, such as basic auth.
All the documentation I saw in JWT tokens indicates that they should be sent through the authorization header, which makes it incompatible with something like basic auth. I know that we have nothing to stop sending a token through another header, but is there any good practice with mixing standard authorization methods using authorization headers and JWT tokens? Otherwise, are there any recommendations or practices that state that you should not send JWT tokens in headers other than authorization?
Phyxx source
share