JWT is stateless authentication which is quite common on the web and a great solution when you have a lot of users who need to make a lot of authenticated requests. There’s no need for database checking like with session cookies and JWTs have expiry dates built into them.
They are tamper-proof but are not encrypted so never store secrets or personal information within them.
N8N supports issuing and authenticating with the JWT Credential Type. You can use this for protecting your webhooks from unauthenticated requests. To make an authenticated request, simply add the generated token as an Authorization header prefixed with “Bearer”. eg. Authorization: Bearer <jwt>
Here’s an example template to get you started.
When receiving webhook requests with valid JWT, the Webhook trigger will add the token’s content to the request in the property jwtPayload which saves you from doing it yourself. Neat!
Thank you @Jim_Le . I tried the workflow and the token is generated but was unable to get to step #3. The HTTP Get request simply doesn’t trigger the webhook (test & production URLs). What I am doing wrong?
Hmm hard to say but I’d recommend deleting the webhook trigger and recreate it with the same settings. This aim would be the register a new webhook URL which is recognised by the system.
When this is done, copy the production URL of this new webhook back into the http request node of step 2. Ensure the the workflow is “active” before executing the http request node.
Finally, if you’re still unable to trigger the webhook, try using something like postman or CURL on the webhook URL to check your instance is accessible from the internet.
From experience, tokens shouldn’t really be treated any differently between internal and external use-cases. This is because when you do and unless you have good token management, it’s easy to get them mixed up which brings up security concerns. Someone also might get lazy and set an internal token expiry to 9999 years and if leaked, it’s troublesome to invalidate it.
JWTs aren’t for every auth scenario however so if you do seeing the need to have “special exemptions/cases”, then probably a good sign to evaluate if JWTs are really the right solution.
