Stateless authentication for Microservices

Resource access restriction

Designing an authentication layer

Sidecar proxy

Sidecar proxy pattern (source: Microsoft)

API Gateway

API Gateway pattern (source: Nginx)

Shared library

Breaking down the shared library approach

JWT and stateless authentications

Anatomy of a token: encoded and decode (source:
  • A JWT is a JSON string encrypted with a secret key;
  • This string is also encoded using base64;
  • One token represents a user session;
  • It's secure because you encrypt/decrypt the token using a secret key;
  • This token is part of each request (Header) from one API to another, like in Basic Auth.
Flowchart for creating a new user session with JWT. (Source: Toptal)

Shared library, also known as the security module

Intercepting an API request made by a consumer
  1. intercept the request;
  2. get the token value (string) through the HTTP header X-PRC-TOKEN;
  3. decode the base64 string;
  4. decrypt the JWT token resulting in a JSON string with all the consumer session data;
  5. applies the authorization rules using the data represented by the JSON string.

Renewing the validity of the token

Lessons learned

Protect your domain layer

Application layers: business rules protected by the proxy pattern

Don't include your JWT secret key in the library code

Stateless authentication also means you don't have control to revoke tokens

The more information your token has, the larger it will be




Currently @PicPay. Previously @Amazon Web Services and @OLX.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

RF-based home automation using Raspberry Pi (Part 1)

Featured image showing a RF transmitter and receiver against a background of colorful jumper cables

5 reasons to upgrade from tix free to tix pro.

Single & Multidimentional Array

House of what? House of gigs!

I’m F*in Tired… (Alt: What Do I Want From Coding REALLY?)

Ansible: Automating an ISO file creation

CS373 Spring 2018: Stewart Trenton Beckendorff, Week 1

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Marcus Cavalcanti

Marcus Cavalcanti

Currently @PicPay. Previously @Amazon Web Services and @OLX.

More from Medium

Microservices Online Boutique Tutorial — Part 1

Dockerizing a node.js application

An Introduction to MQTT with NestJS Framework

Integration Testing