Overview
Zarna uses JWT (JSON Web Tokens) for API authentication with industry-standard security practices.Token Security
Token Structure
Secure Storage
- Development
- Production
localStorage is acceptable for development:Risks: XSS vulnerabilities can access localStorage
Best Practices
Use HTTPS in production
Use HTTPS in production
Always use HTTPS to prevent token interception
Short token expiration
Short token expiration
Access tokens: 24 hours max
Refresh tokens: 7 days max
Strong JWT secrets
Strong JWT secrets
Use 256+ bit random secrets:
Implement token rotation
Implement token rotation
Issue new refresh token on each use, invalidate old ones
Validate all claims
Validate all claims
Check expiration, issuer, audience on every request
OWASP Top 10 Compliance
- ✅ A01 Broken Access Control: RLS + JWT
- ✅ A02 Cryptographic Failures: HTTPS + encrypted secrets
- ✅ A03 Injection: Parameterized queries
- ✅ A05 Security Misconfiguration: Secure defaults
- ✅ A07 Identification & Auth Failures: JWT + OAuth