JWT Tokens

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header   │ Payload   │ Signature
────────────────────────────────────

{
  "alg": "HS256",   // HMAC SHA-256
  "typ": "JWT"
}

{
  "sub": "user-123",           // subject (who)
  "name": "Alice",
  "email": "alice@example.com",
  "iat": 1516239022,           // issued at (when)
  "exp": 1516242622,           // expiration (when)
  "aud": "api.noorle.com",     // audience (for who)
  "scope": "read execute"      // permissions
}

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret_key
)

POST https://api.noorle.com/oauth/token

Response:
{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,        // seconds until expiration
  "refresh_token": "eyJhbGciOiJIUzI1NiIs..."
}

curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
     https://api.noorle.com/agents

POST https://api.noorle.com/oauth/token

Body:
{
  "grant_type": "refresh_token",
  "refresh_token": "eyJhbGciOiJIUzI1NiIs...",
  "client_id": "noorle-cli"
}

Response:
{
  "access_token": "new-eyJhbGciOiJIUzI1NiIs...",
  "refresh_token": "new-eyJhbGciOiJIUzI1NiIs...",
  "expires_in": 3600
}

// 1. User logs in via OAuth
const authCode = await userLogin();

// 2. Get tokens
const response = await fetch("https://api.noorle.com/oauth/token", {
  method: "POST",
  body: JSON.stringify({
    grant_type: "authorization_code",
    code: authCode,
    client_id: "my-web-app"
  })
});

const { access_token, refresh_token, expires_in } = await response.json();

// 3. Store tokens
sessionStorage.setItem("access_token", access_token);
sessionStorage.setItem("refresh_token", refresh_token);
sessionStorage.setItem("expires_at", Date.now() + expires_in * 1000);

// 4. Make API calls
async function callAPI(endpoint) {
  let token = sessionStorage.getItem("access_token");

  // Check if token expired
  if (Date.now() > sessionStorage.getItem("expires_at")) {
    token = await refreshToken();
  }

  return fetch(`https://api.noorle.com${endpoint}`, {
    headers: {
      "Authorization": `Bearer ${token}`
    }
  });
}

async function refreshToken() {
  const response = await fetch("https://api.noorle.com/oauth/token", {
    method: "POST",
    body: JSON.stringify({
      grant_type: "refresh_token",
      refresh_token: sessionStorage.getItem("refresh_token"),
      client_id: "my-web-app"
    })
  });

  const { access_token, refresh_token, expires_in } = await response.json();

  sessionStorage.setItem("access_token", access_token);
  sessionStorage.setItem("refresh_token", refresh_token);
  sessionStorage.setItem("expires_at", Date.now() + expires_in * 1000);

  return access_token;
}

// 5. Use in requests
const agents = await callAPI("/agents");
// Auto-refreshes token if needed

{
  "iss": "https://auth.noorle.com",    // issuer
  "sub": "user-123",                   // subject (user ID)
  "aud": "api.noorle.com",             // audience
  "iat": 1711179600,                   // issued at
  "exp": 1711183200,                   // expiration
  "nbf": 1711179600,                   // not before
  "jti": "unique-token-id",            // JWT ID (for revocation)

  // Custom claims
  "name": "Alice Johnson",
  "email": "alice@example.com",
  "account_id": "account-123",
  "scope": "read execute",
  "roles": ["developer", "user"]
}

POST https://api.noorle.com/oauth/revoke

Body:
{
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "token_type_hint": "access_token"
}

// BAD: Token on disk
localStorage.setItem("token", accessToken);
// If browser storage compromised, token leaked

// GOOD: Token in memory only (lost on page reload)
window.token = accessToken;

// BETTER: Token in memory + refresh flow
// Token lost on reload, but refresh token in secure cookie
document.cookie = "refresh_token=...; HttpOnly; Secure; SameSite=Strict";

Set-Cookie: refresh_token=eyJhb...; HttpOnly; Secure; SameSite=Strict
            │                                │        │
            │                          Not accessible  Secure transport
            │                          from JavaScript (HTTPS only)
            └─ Browser sent auto with requests

Access token: 1 hour
  └─ If leaked, damage limited to 1 hour

Refresh token: 30 days
  └─ Longer-lived but more protected
     (in HTTP-only cookie, not JavaScript)

HTTP  → INSECURE (token in plaintext)
HTTPS → SECURE (TLS encryption)

// BAD: Trust token without validation
const payload = JSON.parse(atob(token.split('.')[1]));
// Attacker can forge any payload

// GOOD: Validate signature
const verified = jwt.verify(token, secret);
// Only valid if signed with correct secret

Short-lived (sensitive operations):
  ├─ Access token: 15 minutes
  └─ Refresh token: 7 days

Standard (web apps):
  ├─ Access token: 1 hour
  └─ Refresh token: 30 days

Long-lived (trusted apps):
  ├─ Access token: 8 hours
  └─ Refresh token: 90 days