Bird
Raised Fist0
Microservicessystem_design~5 mins

JWT token propagation in Microservices - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepArchPracticeChallengeDesignRecallScale

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is JWT token propagation in microservices?
JWT token propagation means passing the user's JWT token from one microservice to another to maintain user identity and permissions across services.
Click to reveal answer
beginner
Why is JWT token propagation important in microservices?
It allows each microservice to verify the user's identity and permissions without needing to ask the user to log in again, enabling secure and seamless communication.
Click to reveal answer
intermediate
How is a JWT token typically propagated between microservices?
The JWT token is usually sent in the HTTP Authorization header as a Bearer token when one microservice calls another.
Click to reveal answer
intermediate
What should a microservice do when it receives a JWT token?
It should validate the token's signature, check expiration, and verify claims to ensure the token is valid and the user is authorized.
Click to reveal answer
advanced
Name one common challenge with JWT token propagation in microservices.
One challenge is token expiration and refresh, as tokens may expire during long chains of service calls, requiring strategies to refresh or reissue tokens.
Click to reveal answer
Where is the JWT token usually sent when propagating between microservices?
AIn the HTTP response body
BIn the URL query parameters
CIn the HTTP Authorization header as a Bearer token
DIn a cookie only
What must a microservice do before trusting a received JWT token?
AIgnore the token if it looks long
BValidate the token signature and claims
CSend the token back to the client
DStore the token in a database
What problem can occur if JWT tokens expire during propagation?
ATokens lose their signature
BTokens become larger in size
CTokens get automatically refreshed
DServices may reject requests due to invalid tokens
Which of these is NOT a typical claim in a JWT token?
AUser password
BExpiration time
CUser ID
DIssuer
What is a common way to handle token propagation in asynchronous microservice calls?
AInclude the JWT token in message headers or metadata
BSend the token in the request body only
CDo not propagate tokens in async calls
DUse cookies only
Explain how JWT token propagation works in a microservices system and why it is necessary.
Think about how a user stays logged in when multiple services talk to each other.
You got /4 concepts.
    Describe common challenges and best practices when implementing JWT token propagation.
    Consider what can go wrong and how to keep tokens safe and valid.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of JWT token propagation in a microservices architecture?
      easy
      A. To encrypt all communication between microservices
      B. To store user data permanently in each microservice
      C. To securely share user identity information across multiple services
      D. To replace API keys for service-to-service authentication

      Solution

      1. Step 1: Understand JWT token role

        JWT tokens carry user identity and claims securely in a compact form.

      2. Step 2: Identify propagation purpose

        Propagating JWT tokens allows each microservice to verify and trust the user's identity without storing it locally.

      3. Final Answer:

        To securely share user identity information across multiple services -> Option C

      4. Quick Check:

        JWT propagation = share identity securely [OK]
      Hint: JWT tokens carry user identity for trust across services [OK]
      Common Mistakes:
      • Confusing JWT propagation with data storage
      • Thinking JWT encrypts all communication
      • Assuming JWT replaces all authentication methods
      2. Which HTTP header is commonly used to forward the JWT token between microservices?
      easy
      A. Authorization
      B. X-Auth-Token
      C. Cookie
      D. Content-Type

      Solution

      1. Step 1: Identify standard header for tokens

        The Authorization header is the standard way to send bearer tokens like JWT in HTTP requests.

      2. Step 2: Confirm other headers' roles

        X-Auth-Token is less standard, Cookie is for browser sessions, Content-Type defines data format.

      3. Final Answer:

        Authorization -> Option A

      4. Quick Check:

        JWT token sent in Authorization header [OK]
      Hint: JWT tokens go in Authorization header as Bearer [OK]
      Common Mistakes:
      • Using Cookie header for token forwarding
      • Confusing Content-Type with authentication headers
      • Assuming custom headers like X-Auth-Token are standard
      3. Consider this code snippet in a microservice forwarding a JWT token: 
      fetch('http://serviceB/api', {
  headers: { 'Authorization': req.headers['authorization'] }
})
      What will happen if the original request has no Authorization header?
      medium
      A. The Authorization header is set to an empty string
      B. Service B receives an Authorization header with value 'undefined'
      C. The fetch call throws an error and fails
      D. Service B receives the request without any Authorization header

      Solution

      1. Step 1: Check header forwarding code

        The code forwards req.headers['authorization'] directly as the Authorization header value.

      2. Step 2: Understand missing header behavior

        If req.headers['authorization'] is undefined, the header is omitted in fetch, so Service B gets no Authorization header.

      3. Final Answer:

        Service B receives the request without any Authorization header -> Option D

      4. Quick Check:

        Missing header means no Authorization sent [OK]
      Hint: Undefined header means no header sent, not 'undefined' string [OK]
      Common Mistakes:
      • Assuming 'undefined' string is sent as header value
      • Expecting fetch to throw error on missing header
      • Thinking header is set to empty string automatically
      4. A microservice fails to verify JWT tokens from upstream services. Which of these is the most likely cause?
      medium
      A. The microservice does not forward the Authorization header
      B. The microservice uses a different secret or public key to verify tokens
      C. The microservice sends tokens in the request body instead of headers
      D. The microservice caches tokens for too long

      Solution

      1. Step 1: Analyze verification failure causes

        Verification fails if the microservice uses a wrong secret or public key to check the JWT signature.

      2. Step 2: Evaluate other options

        Not forwarding headers causes downstream issues, sending tokens in body is non-standard but not verification failure, caching affects freshness but not signature verification.

      3. Final Answer:

        The microservice uses a different secret or public key to verify tokens -> Option B

      4. Quick Check:

        Wrong key = verification fails [OK]
      Hint: Verification needs matching secret/public key [OK]
      Common Mistakes:
      • Confusing forwarding issues with verification errors
      • Assuming token location affects signature verification
      • Ignoring key mismatch as cause of failure
      5. In a microservices system, Service A receives a JWT token from a user and calls Service B, which calls Service C. To ensure secure JWT token propagation and verification, which design is best?
      hard
      A. Service A sends the JWT to Service B, which forwards the same JWT to Service C; each service verifies the token locally
      B. Service A sends the JWT to Service B; Service B generates a new token for Service C with its own secret
      C. Service A sends the JWT only to Service B; Service B calls Service C without any token
      D. Service A sends the JWT to Service B; Service B stores the token and Service C fetches it from Service B when needed

      Solution

      1. Step 1: Understand token propagation best practice

        JWT tokens should be forwarded unchanged so each service can verify the original user identity and claims.

      2. Step 2: Evaluate alternatives

        Generating new tokens breaks trust chain; skipping tokens breaks authentication; fetching tokens from another service adds complexity and risk.

      3. Final Answer:

        Service A sends the JWT to Service B, which forwards the same JWT to Service C; each service verifies the token locally -> Option A

      4. Quick Check:

        Forward original JWT for trust and verification [OK]
      Hint: Forward original JWT unchanged for trust across services [OK]
      Common Mistakes:
      • Creating new tokens at intermediate services
      • Not forwarding tokens to all downstream services
      • Relying on token fetching instead of forwarding