OAuth & JWT Authentication Cheat Sheet
Explains OAuth 2.0 grant types, the Authorization Code plus PKCE flow, and JWT structure, claims, and verification for securing APIs.
2 PagesAdvancedMar 20, 2026
OAuth 2.0 Grant Types
Which flow to use for which kind of client.
- Authorization Code- Most secure flow for server-side apps; exchanges a code for tokens
- Authorization Code + PKCE- Required for public clients (SPAs, mobile apps) to prevent code interception
- Client Credentials- Machine-to-machine auth; app authenticates as itself, no user involved
- Refresh Token- Exchanges a long-lived refresh token for a new access token without re-login
- Device Code- For input-constrained devices (smart TVs); user authorizes on a second device
- Implicit (deprecated)- Returned tokens directly in the URL fragment; insecure, replaced by PKCE
Authorization Code Flow (PKCE)
Generating a code verifier/challenge and exchanging the code for tokens.
bash
# 1. Generate PKCE verifier and challengeCODE_VERIFIER=$(openssl rand -base64 32 | tr -d '=+/')CODE_CHALLENGE=$(echo -n "$CODE_VERIFIER" | openssl dgst -sha256 -binary | base64 | tr -d '=+/')# 2. Redirect the user to the authorization endpoint# https://auth.example.com/authorize?# response_type=code&client_id=abc123&redirect_uri=https://app.com/callback# &scope=openid%20profile&state=xyz&code_challenge=$CODE_CHALLENGE&code_challenge_method=S256# 3. Exchange the returned ?code=... for tokenscurl -X POST https://auth.example.com/token \ -d grant_type=authorization_code \ -d code=AUTH_CODE_FROM_REDIRECT \ -d redirect_uri=https://app.com/callback \ -d client_id=abc123 \ -d code_verifier=$CODE_VERIFIER# Response# {"access_token":"eyJ...","refresh_token":"...","expires_in":3600,"token_type":"Bearer"}
JWT Structure & Verification
Signing and verifying a JSON Web Token with a shared secret.
javascript
// A JWT has 3 base64url parts: header.payload.signature// eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMifQ.SflKxwRJSMeKKF2QT4f...const jwt = require('jsonwebtoken');// Sign (server issues token)const token = jwt.sign( { sub: 'user123', role: 'admin' }, process.env.JWT_SECRET, { expiresIn: '1h', issuer: 'api.example.com' });// Verify (server validates incoming token)try { const payload = jwt.verify(token, process.env.JWT_SECRET, { issuer: 'api.example.com', }); console.log(payload.sub);} catch (err) { // TokenExpiredError, JsonWebTokenError, etc. console.error('Invalid token:', err.message);}
Standard JWT Claims
Registered claim names defined by RFC 7519.
- iss- Issuer — identifies who created and signed the token
- sub- Subject — the user/entity the token represents
- aud- Audience — intended recipient(s) of the token
- exp- Expiration time (Unix timestamp); token is invalid after this
- iat- Issued-at time
- nbf- Not-before time; token is invalid until this timestamp
- jti- JWT ID — unique identifier, useful for revocation lists
Pro Tip
Never store JWTs containing sensitive claims in localStorage for browser apps — it's readable by any injected script (XSS). Prefer httpOnly, Secure, SameSite cookies for the access and refresh token pair.
Was this cheat sheet helpful?
Explore Topics
#OAuthJWTAuthentication#OAuthJWTAuthenticationCheatSheet#WebDevelopment#Advanced#OAuth20GrantTypes#Authorization#Code#Flow#Security#APIs#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance