Refreshing a JWT
Toddappleton (Talk | contribs) |
Toddappleton (Talk | contribs) |
||
| Line 12: | Line 12: | ||
Your user authenticates at 09:00 and receives a JWT. This token is valid until 10:00. Between 10:00 and 15:00 it can be refreshed as many times as you like. When the token is refreshed the timers are reset. For example if you refresh at 13:00 then the token is valid until 14:00, and can be refreshed until 19:00. | Your user authenticates at 09:00 and receives a JWT. This token is valid until 10:00. Between 10:00 and 15:00 it can be refreshed as many times as you like. When the token is refreshed the timers are reset. For example if you refresh at 13:00 then the token is valid until 14:00, and can be refreshed until 19:00. | ||
| − | + | For these examples assume your current session token is abc.123.efg. | |
| − | + | === Refreshing JWT as an Admin === | |
| − | + | The Admin refresh API endpoint is api/v2/system/admin/session | |
| + | |||
| + | Request URL: | ||
<pre>PUT https://foo.com/api/v2/system/admin/session?session_token=abc.123.efg</pre> | <pre>PUT https://foo.com/api/v2/system/admin/session?session_token=abc.123.efg</pre> | ||
| − | -- | + | Note: Session token can also be supplied using X-DreamFactory-Session-Token request header. |
| − | + | === Refreshing JWT as a User (non-admin) === | |
| − | + | The non-admin refresh API endpoint is api/v2/user/session | |
| − | + | Request URL: | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
<pre>PUT https://foo.com/api/v2/user/session?session_token=abc.123.efg</pre> | <pre>PUT https://foo.com/api/v2/user/session?session_token=abc.123.efg</pre> | ||
| − | + | Note: Session token can also be supplied using X-DreamFactory-Session-Token request header. | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | X-DreamFactory-Session-Token | + | |
| − | + | ||
Revision as of 19:50, 30 June 2016
DreamFactory uses JSON Web Tokens (JWT) to maintain user session on the server side in a stateless manner. One of the features of JWT is the ability to refresh the token without re-authenticating as long as the JWT (token) is within the allowed refresh time-frame since it was created. There are two time-to-live (TTL) values that you can configure for JWT in the .env file.
- DF_JWT_TTL
- Expiration TTL. This the time (in minutes) until the token expires. After it expires it can be refreshed until DF_JWT_REFRESH_TTL.
- DF_JWT_REFRESH_TTL
- Refresh TTL. This the time (in minutes) in which you can refresh the token. Between DF_JWT_TTL and DF_JWT_REFRESH_TTL the token can be refreshed as many times as you want without reauthenticating. After DF_JWT_REFRESH_TTL you must log in again.
For example, let's say your expiration TTL (DF_JWT_TTL) is 60 (1 hour) and your refresh TTL (DF_JWT_REFRESH_TTL) is 360 (6 hours). Your user authenticates at 09:00 and receives a JWT. This token is valid until 10:00. Between 10:00 and 15:00 it can be refreshed as many times as you like. When the token is refreshed the timers are reset. For example if you refresh at 13:00 then the token is valid until 14:00, and can be refreshed until 19:00.
For these examples assume your current session token is abc.123.efg.
Refreshing JWT as an Admin
The Admin refresh API endpoint is api/v2/system/admin/session
Request URL:
PUT https://foo.com/api/v2/system/admin/session?session_token=abc.123.efg
Note: Session token can also be supplied using X-DreamFactory-Session-Token request header.
Refreshing JWT as a User (non-admin)
The non-admin refresh API endpoint is api/v2/user/session
Request URL:
PUT https://foo.com/api/v2/user/session?session_token=abc.123.efg
Note: Session token can also be supplied using X-DreamFactory-Session-Token request header.
