100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

OAuth & JWT Authentication Cheat Sheet

OAuth & JWT Authentication Cheat Sheet

Explains OAuth 2.0 grant types, the Authorization Code plus PKCE flow, and JWT structure, claims, and verification for securing APIs.

2 PagesAdvancedMar 20, 2026

OAuth 2.0 Grant Types

Which flow to use for which kind of client.

  • Authorization Code- Most secure flow for server-side apps; exchanges a code for tokens
  • Authorization Code + PKCE- Required for public clients (SPAs, mobile apps) to prevent code interception
  • Client Credentials- Machine-to-machine auth; app authenticates as itself, no user involved
  • Refresh Token- Exchanges a long-lived refresh token for a new access token without re-login
  • Device Code- For input-constrained devices (smart TVs); user authorizes on a second device
  • Implicit (deprecated)- Returned tokens directly in the URL fragment; insecure, replaced by PKCE

Authorization Code Flow (PKCE)

Generating a code verifier/challenge and exchanging the code for tokens.

bash
# 1. Generate PKCE verifier and challengeCODE_VERIFIER=$(openssl rand -base64 32 | tr -d '=+/')CODE_CHALLENGE=$(echo -n "$CODE_VERIFIER" | openssl dgst -sha256 -binary | base64 | tr -d '=+/')# 2. Redirect the user to the authorization endpoint# https://auth.example.com/authorize?#   response_type=code&client_id=abc123&redirect_uri=https://app.com/callback#   &scope=openid%20profile&state=xyz&code_challenge=$CODE_CHALLENGE&code_challenge_method=S256# 3. Exchange the returned ?code=... for tokenscurl -X POST https://auth.example.com/token \  -d grant_type=authorization_code \  -d code=AUTH_CODE_FROM_REDIRECT \  -d redirect_uri=https://app.com/callback \  -d client_id=abc123 \  -d code_verifier=$CODE_VERIFIER# Response# {"access_token":"eyJ...","refresh_token":"...","expires_in":3600,"token_type":"Bearer"}

JWT Structure & Verification

Signing and verifying a JSON Web Token with a shared secret.

javascript
// A JWT has 3 base64url parts: header.payload.signature// eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMifQ.SflKxwRJSMeKKF2QT4f...const jwt = require('jsonwebtoken');// Sign (server issues token)const token = jwt.sign(  { sub: 'user123', role: 'admin' },  process.env.JWT_SECRET,  { expiresIn: '1h', issuer: 'api.example.com' });// Verify (server validates incoming token)try {  const payload = jwt.verify(token, process.env.JWT_SECRET, {    issuer: 'api.example.com',  });  console.log(payload.sub);} catch (err) {  // TokenExpiredError, JsonWebTokenError, etc.  console.error('Invalid token:', err.message);}

Standard JWT Claims

Registered claim names defined by RFC 7519.

  • iss- Issuer — identifies who created and signed the token
  • sub- Subject — the user/entity the token represents
  • aud- Audience — intended recipient(s) of the token
  • exp- Expiration time (Unix timestamp); token is invalid after this
  • iat- Issued-at time
  • nbf- Not-before time; token is invalid until this timestamp
  • jti- JWT ID — unique identifier, useful for revocation lists
Pro Tip

Never store JWTs containing sensitive claims in localStorage for browser apps — it's readable by any injected script (XSS). Prefer httpOnly, Secure, SameSite cookies for the access and refresh token pair.

Was this cheat sheet helpful?

Explore Topics

#OAuthJWTAuthentication#OAuthJWTAuthenticationCheatSheet#WebDevelopment#Advanced#OAuth20GrantTypes#Authorization#Code#Flow#Security#APIs#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech

Professional Web Designing Services

  • Responsive Websites
  • E-commerce Solutions
  • SEO Friendly Design
  • Fast & Secure
  • Support & Maintenance
Get a Free Quote

Share this Cheat Sheet