What best way for JWT authentication?

What best way to use JWT authentication in phoenix?
pow, guardian or maybe some thing else?

Thanks :slight_smile:

I would say Guardian. But I have not made an extensive comparison.
Aslo, you can use Guardian with Pow or other libraries.

If it is user facing auth then I would say - don’t. Just use regular session cookies, and if you want signed tokens, then PASETO is better choice.


Have also a look at phx_gen_auth which will eventually be part of Phoenix:

It’s not JWT specifically but it uses token.

The hatred of JWT almost jumped out from my monitor, vividly.

can paseto be used with guardian ?

It is not hatred, it is more of a pity. JWT is abused in places where it shouldn’t be used as stateless tokens aren’t suitable for general purpose authentication. Also JWT just done poor choices from the security viewpoint. It is much better to use versioned and fixed set of small, proven, and chosen by experts, algorithms than to allow everyone to pick their own, as in the end it can cause leakages. PASETO for stateless tokens (when needed) is much better. However for general purpose authentication over HTTP it is much better to use sessions with good old signed cookies (especially if marked as http-only cookies).

In general - when used properly, JWT isn’t that bad, but there are better options for such uses anyway.

No idea. I do not use Guardian at all.