OAuth2 and JWT implementation for a mobile app service


Is there any article or guide available on how to implement OAuth2 and JWT for token authentication of requests from a mobile app and web platform?

I would be grateful for any help in this regard.



1 Like

I am a Developer Advocate for Mobile API security, and you can confirm that by my contributions in the security tag on StackOverflow, from where you may find some useful information to be applied in your project. You cam also take a look to my blog posts to find some useful information about security. Feel free to skip the ones that are specific about the product for the company where I work. :wink:

While not in Elixir you can see this repo I am maintaining at work for the demo in this series of blog posts about a practical API security within the context of a mobile app and a web interface used to attack the mobile app API:

In this mini series I am going to use a fictional product, “ShipFast”, to walk you through the process of defending against various exploits in a mobile application to gain access to data on a remote server allowing real users of the system to gain an unfair business advantage at the expense of the company.

You can also read this series of blog post on Mobile API security techniques to have a deeper dive in what type of attacks you can expect, how to defend against them and how the attacker can bypass that same defenses.

Have fun reading them, and while they where wrote by my colleagues, I am happy to clarify you about any doubt you may have regarding API security.


In any response to a question that relates to security I always like to reference the excellent work from the OWASP foundation.

For Web Apps

OWASP Web Top 10 Risks

The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.

The Web Security Testing Guide:

The OWASP Web Security Testing Guide includes a “best practice” penetration testing framework which users can implement in their own organizations and a “low level” penetration testing guide that describes techniques for testing most common web application and web service security issues.

For Mobile Apps

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.


OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.


Thanks @Exadra37.
I shall go through the vast information shared to identify ways it could meet my needs.



1 Like