How much profile data should go in a JWT token? How much profile data should go in a JWT token? mongoose mongoose

How much profile data should go in a JWT token?


node.js mongodb express mongoose jwt

You should put just enough information in your JWT token to authenticate your user without needing to make additional database requests. That's the whole point of the payload - so that authentication can be distributed. If you need to make database requests to authenticate every API call then you have not achieved distribution because you will still be centralizing your authentication process at the database.

However, do note that everything you put into your JWT tokens are public. Anyone can do a base64 decode on the token to extract the payload. Therefore I would suggest not including your user's email address in the payload if you don't use it often (for every API call). Malicious scripts may somehow get access to the token and harvest the email addresses (which does have value and can be sold to "email marketers"). The user's ID should be enough to identify the user.

If your UI needs to display the user's name then you can also include the name but personally I'd delegate that to a profile API call (I normally implement a /myself endpoint for this).

I'd also include the user's role in the payload to avoid needing to query the database to check if the user has permission to make an API call.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last