**Course Title:** Mastering Ruby on Rails: Building Scalable Web Applications **Section Title:** RESTful API Development with Rails **Topic:** API authentication with token-based systems (JWT) **Introduction** In the previous topics, we have covered the basics of building RESTful APIs with Rails. In this topic, we will dive deeper into API authentication using token-based systems, specifically JSON Web Tokens (JWT). JWT is a widely used standard for authentication and authorization in web applications. **What is JWT?** JSON Web Tokens (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The token is digitally signed and contains a payload that can be verified and trusted. JWT is used for authentication and authorization in web applications, providing a secure way to verify the identity of users. **How does JWT work?** Here's a high-level overview of the JWT workflow: 1. **User authentication**: The user logs in to the application, providing their credentials (e.g., username and password). 2. **Token generation**: The server generates a JWT token containing the user's information (e.g., username, email, and role). 3. **Token signing**: The server signs the token with a secret key, creating a digital signature that verifies the token's authenticity. 4. **Token transmission**: The server transmits the JWT token to the client (e.g., a web browser). 5. **Token verification**: The client verifies the token's authenticity by checking the digital signature and ensuring the token has not expired. 6. **Token validation**: The client validates the token's payload, ensuring it contains the expected information. **Implementing JWT in Rails** To implement JWT in Rails, we will use the `jwt` gem. Here's an example of how to generate and verify a JWT token: ```ruby # Generate a JWT token def generate_token(user) payload = { user_id: user.id, email: user.email } token = JWT.encode(payload, 'secret_key', 'HS256') token end # Verify a JWT token def verify_token(token) payload = JWT.decode(token, 'secret_key', ['HS256']) payload end ``` **Example Use Case** Here's an example of how to use JWT for authentication in a Rails API: ```ruby # User model class User < ApplicationRecord has_secure_password end # API controller class UsersController < ApplicationController def create user = User.create(user_params) token = generate_token(user) render json: { token: token }, status: :created end def authenticate token = request.headers['Authorization'] user = verify_token(token) if user render json: { user: user }, status: :ok else render json: { error: 'Invalid token' }, status: :unauthorized end end end ``` **Best Practices** Here are some best practices to keep in mind when implementing JWT in Rails: * Use a secure secret key for signing and verifying tokens. * Store tokens securely on the client-side (e.g., in local storage or cookies). * Use HTTPS to encrypt token transmission. * Implement token blacklisting to prevent token reuse. * Use a token expiration time to limit token validity. **Conclusion** In this topic, we have covered the basics of API authentication using token-based systems, specifically JSON Web Tokens (JWT). We have implemented JWT in Rails using the `jwt` gem and provided an example use case for authentication. We have also highlighted best practices for implementing JWT in Rails. With this knowledge, you should be able to implement secure authentication and authorization in your Rails applications. **Leave a comment or ask for help if you have any questions or need further clarification on any of the topics covered in this topic.** **External Resources:** * [JSON Web Tokens (JWT) specification](https://tools.ietf.org/html/rfc7519) * [jwt gem documentation](https://github.com/jwt/ruby-jwt) * [Rails API authentication with JWT](https://guides.rubyonrails.org/api_authentication.html#topic_1_14_1_1_1) **Next Topic:** Advanced querying techniques with Active Record (scopes, joins).