interview

home / developersection / interviews / how does token-based authentication work?

Ask Question
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

1 Answers

ICSM Computer

ICSM Computer

05-Jun-2025

Token-based authentication is a stateless, scalable way to manage user sessions in APIs and web apps. Here’s how it works, step by step:

Overview of the Flow

1. User Logs In

The user sends their credentials (e.g., username and password) to the authentication server via a POST request.

POST /api/login
{
  "username": "john",
  "password": "secret"
}

2. Server Validates Credentials

If valid, the server generates a token (often a JWT) that contains encoded user info (like userId, roles, expiration time).

3. Token is Sent to the Client

The server returns the token in the response:

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

4. Client Stores the Token

  • The client (browser, mobile app, etc.) stores it in:
  • Browser: localStorage / sessionStorage
  • Mobile: Secure storage

5. Client Sends Token with Each Request

For every request to protected resources, the client includes the token in the Authorization header:

GET /api/user/profile
Authorization: Bearer eyJhbGciOi...

6. Server Verifies Token

  • The server verifies the token (checks signature, expiration, etc.).
  • If valid, the request proceeds.
  • If invalid or expired, return 401 Unauthorized.

7. No Server-Side Session

The server does not store session state — all info is in the token itself. This makes it stateless and scalable.

Common Token Types

Type Description
JWT (JSON Web Token) Self-contained token with claims (user info, expiry, etc.).
Opaque Token Random string, requires DB lookup to validate.

Benefits

  • Stateless: no need to store session on the server.
  • Scalable: great for distributed/microservice architectures.
  • Secure (if HTTPS and token handling is done right).
  • Supports expiration, revocation (with some trade-offs).

Common Security Best Practices

  • Always use HTTPS.
  • Set short expiration + refresh tokens (OAuth2-style).
  • Store tokens securely (not in localStorage if XSS is a risk).
  • Use proper token revocation strategy (e.g., blacklist).
MindStick Training
MindStick Training

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy