Guidance on JWT / Bearer usage for external APIs
Hi all, after some tinkering, I have JWT set up within a Nextjs app to use as a bearer token for an external api. The api uses the JWKS endpoint to validate the token. This works fine. I am looking for guidance of best implementation guidelines for security and performance. We heavily use server patterns in Next so we don't rely on nor use
authClient, just the server api.
At the moment, if I call auth.api.getToken, it issues a new token every time thus invalidating any fetch caching to the external api. I can store this token outside the request scope (variable or local storage) however this doesn't take into account expiration of the JWT token within decrypt it and checking timestamps on each request. While this works, I am wondering if there's a more efficient or more "betterauth" way of doing this. Perhaps the OIDC Provider is a better choice here?
To sum:
- External API that takes a bearer token that should verify against our main Nextjs app via JWKS
- Main Next app uses this external api and must provide a unified JWT bearer token to it
- Other external consumers (eventually) need to use a client credential flow to use the external API with bearer which in turn validates against the main Nextjs app with JWKS1 Reply
The last point is future implementation and could potentially be solved with API keys instead however at the start we need to handle JWTs as bearer