GrizzlyAPI : Handling security with JWT for my REST APIs
Greetings IT community, we are Code Once team, pleased to anounce the arrival of the first version of GrizzlyAPI, a cloud based platform for creating and host codeless microservices.
Using our tool, you can create your microservices and prepare your endpoints without writing a single line of code.
You can consult our first article to understand more our features. You should visit our Youtube Channel to watch the demonstration videos about creating microsrvices and defining endpoints. We talked about securing them too by adding roles to the security level of each API.
1- Introduction :
In this article, we will we will dive deeper into security handling by GrizzlyAPI ! After creating a microservice, it has a default version 1.0.0 with an Authentication Grizzly group of endpoints that will be used later to secure your application.

2- Security Configuration :
But first, let’s analyze the security configuration linked to each microservice.
2.1- Token configuration :
In order to secure our REST APIs with a JWT, we have to create a token first! What do we need? a client ID, a security key and an expiration timelapse. GrizzlyAPI provides all of that, fully customizable! Apply the configuration changes that you want and save it.

You have also a default super user (admin) prepared for you to access all the endpoints without needing any extra permissions.
2.2- Managing Roles :
You can also manage roles in the security configuration section by adding or removing them. Adding roles to your application makes you have the full control over each API to provide or prevent access for certain users.

A single user can have one or multiple roles.
3- Security Documentation :
In this section, you will fine the documentation of the two main endpoints. The signin and the signup endpoints, that help you to add users to your application and get a token linked to each user after logging in.

Everything you need about these APIs is available in this section. The modal that you should use, the curl request, an angular implementation example and even the exepected response.
4- Authentication Group :
Before explaining each endpoint, here are some key icons that you should be familiar with to understand the concept more.

4.1- /signin :

The /signin endpoint is public. It can be used by anyone to log into your application. It’s a POST request and it needs a body.
{
"username":"string",
"password":"string"
}After execution, it will return a JWT token that will be used to secure created endpoints.
{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImF1dGgiOlt7ImF1dGhvcml0eSI6ImFkbWluIn1dLCJpc3MiOiJ0ZXN0IiwiZXhwIjoxNTcxMTYxNj gyfQ.GTIl_7ch282MFLBZ8ywd_FXjz6rc6YUahm_TpXWS-Hw"}
4.2- /signup :

The /signup endpoint is public too. New users of your applciation will use it to create an account. It’s a POST request and it needs a body as well.
You will use this modal : all these fields are required but you may add extra ones.
{
"firstname": "string",
"lastname": "string",
"username": "string",
"password": "string",
"email": "string",
"phone": "string"
}The API will return the created user. But his account needs to be activated by the admin. Any new user will have automatically the role of “user”.
4.3- /allroles :

The /allroles endpoint is secured and it’s only accessible by the admin. It needs a token. It’s a Bearer token that will be inserted in the headers.
This API will display all the roles linked to this microservice in order to assign them laters to users or staff.
4.4- /allusers :

The /allusers endpoint is secured and it’s only accessible by the admin. It needs a token. It’s a Bearer token that will be inserted in the headers.
This API will display all the users registred to your application. You can check their roles and their activation status.
4.5- /activate :

The /activate endpoint is secured and it’s only accessible by the admin. It needs a token. It’s a Bearer token that will be inserted in the headers.
This API is used to activate new users accounts. You need to add the username that you want to activate, as a Request Parameter. It does not require a body.
4.6- /grant :

The /grant endpoint is secured and it’s only accessible by the admin. It needs a token. It’s a Bearer token that will be inserted in the headers.
This API is used to grant permissions to users in order access certain APIs. You need to add the username that you want to grant the permission to, as a Request Parameter.
This method requires a body that contains an array of roles that you want to add to this user.
{
"roles": [ "role1", "role2" ,...]
}4.7- /updateuser endpoint :

The /updateuser endpoint is secured but, it’s accessible by all the users. It needs a token. It’s a Bearer token that will be inserted in the headers.
What does this mean? this API is not public but needs a token to be accessible. Simply, a user will be able to update his own profile by adding a request body that contains the elements that he wants to be updated. You may use the signup modal to make it easier.
4.8- /deleteuser :

The /deleteuser endpoint is secured and it’s only accessible by the admin. It needs a token. It’s a Bearer token that will be inserted in the headers.
This API is used to delete users from your application. You need to add the username that you want to delete, as a Request Parameter.
4.9- /me :

The /me endpoint is secured but, it’s accessible by all the users. It needs a token. It’s a Bearer token that will be inserted in the headers. This token will be used to display the current user inforamtion.
5- Demonstration Videos :
Video 1 : Create a REST API without coding.
Video 2 : Secure your created endpoint.
Video 3 : Understand more GrizzlyAPI security (this article demo).
6- More on GrizzlyAPI :
for more details about our product, don’t hesitate to Contact Us.
You can follow us on :
Big Thanks to Grizzly Team :