Security & Best Practices

JWT Authentication & Authorization

Simulate secure authentication flows with JWT tokens for realistic API testing

What is JWT Authentication?

JWT (JSON Web Token) is a secure, compact way to authenticate API requests. Mock API Builder simulates real JWT authentication flows, allowing you to test your application's authentication logic without setting up a backend.

Realistic Flow

Login, receive a token, include it in requests—just like production APIs

Token Expiration

Tokens expire after 7 days by default, simulating real-world security

Protected Routes

Mark endpoints as protected—requires valid JWT to access

How JWT Authentication Works

The Authentication Flow
1

User Logs In

POST credentials to the /auth/login endpoint

2

Receive JWT Token

Server returns a signed JWT token that expires in 7 days

3

Store Token

Client stores token securely (localStorage, sessionStorage, or cookies)

4

Include in Requests

Add token to Authorization header for protected endpoints

5

Verification

Server validates token and grants or denies access

Login Endpoint

POST /auth/login

Request Body:

json

Success Response (200):

json

Error Response (401):

json

Mock Credentials

For testing, you can use any email/password combination. The mock API will accept any credentials and return a valid token.

💡 In production, you would validate against a real user database.

Using JWT Tokens in Requests

Authorization Header Format

Include the JWT token in the Authorization header using the Bearer scheme:

cURL Example:

bash

JavaScript fetch():

javascript

Axios Example:

javascript

Protecting Endpoints

Enable Authentication for Endpoints

Mark endpoints as "protected" to require JWT authentication:

Step-by-Step:

  1. 1. Navigate to your endpoint in the project dashboard
  2. 2. Click "Edit Endpoint"
  3. 3. Toggle "Require Authentication"
  4. 4. Save changes

What Happens:

  • • Requests without a token → 401 Unauthorized
  • • Requests with invalid token → 401 Unauthorized
  • • Requests with expired token → 401 Token Expired
  • • Requests with valid token → 200 OK (or appropriate status)
Unauthorized Response
json
Token Expired Response
json

JWT Token Structure

Understanding the Token

A JWT consists of three parts separated by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsImVtYWlsIjoidXNlckBleGFtcGxlLmNvbSJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Part 1: Header

Contains the token type (JWT) and hashing algorithm (HS256)

json

Part 2: Payload

Contains the user data and claims

json

Part 3: Signature

Verifies the token hasn't been tampered with

Complete Authentication Example

React Login Flow
javascript

Common Use Cases

User Dashboard Applications

Build and test login flows for SaaS applications, admin panels, or user portals before connecting to a real authentication system.

Mobile App Development

Test authentication in iOS and Android apps without waiting for backend APIs. Store tokens securely using platform-specific storage.

Testing Token Expiration

Verify your app handles expired tokens correctly by testing with tokens that are set to expire soon. Ensure users are redirected to login when tokens expire.

Role-Based Access Control (RBAC)

Test different user roles (admin, user, guest) by including role information in the JWT payload and enforcing permissions on the frontend.

Best Practices

  • Store tokens securely using httpOnly cookies when possible, or secure storage APIs
  • Always use HTTPS in production to prevent token interception
  • Handle token expiration gracefully by redirecting users to login
  • Include tokens in Authorization header rather than URL parameters
  • Clear tokens on logout to prevent unauthorized access
  • Validate tokens on every protected request to ensure they're still valid
  • Test both success and failure scenarios including invalid credentials and expired tokens
Previous: OpenAPI/Swagger SpecNext: Rate Limiting