We have previously published an article on JWT best practices, which outlines the standards for creating secure and reliable JSON Web Tokens. It covers essential practices like using proper claims (iss, exp), managing secrets securely, and keeping tokens short-lived.

This raises an important question: Who is responsible for implementing these security rules?

In some API designs, customers are asked to generate their own JWTs. The approach is seemingly straightforward: "Here is a secret key. Please create a JWT according to our guidelines, sign it, and include it in your Authorization header."

However, this model shifts the complex and critical responsibility of security onto you, the developer of a consumer application. At OneGround, we believe that security should be a shared responsibility, but the burden of token creation should lie with the API provider. This is why we have started using a standard OAuth2 Token Endpoint, which allows you to request a token from us instead of creating one yourself.

This article explains why our approach is more secure, reliable, and ultimately simpler for you.

Introduction​

Digitally signing documents is a common task in the workflow of handling a case. Several software vendors offer solutions for this. This article describes a standardized pattern to handle the signing of documents within the ZGW API landscape. Most API-calls in this pattern are already part of the ZGW standard. The missing link was a way to initiate the signing transaction. In this article we propose a standardized trigger message for this purpose.

JSON Web Tokens (JWT) is an essential part of modern API ecosystems, providing a secure and efficient method for verifying user identities and exchanging information between parties. However, as with any security mechanism, improper implementation can introduce vulnerabilities.