Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,933 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Yes, anyone with a JWT (actually just the access token inside it) can call your API. Note that a JWT is not inherently secure nor does it really provide any real security benefits. It is simply a format in which data can be shared between systems. JWTs tend to be just byte streams and you can google for a JWT decoder online to see what a JWT contains. JWTs are popular in OAuth and other use cases but by themselves they provide no actual security. You can read more about JWTs here.
Where JWTs and authentication tend to come into play is when using OAuth. OAuth tends to return a JWT token. Within that token is several pieces of data (again, use an online JWT decoder to see it) include: access token which is actually what gives you access to a secure resource, a time to live token and optionally a refresh token and any other data the auth subsystem wanted to provide. Many times a JWT might include the user's name and potentially some claim values. None of this is particularly relevant to security though. The access token is ultimately what is sent as the Bearer token for API calls. So to make an API call all you need is the access token, not the entire JWT. The JWT provides extra data that is useful for the client to know.
JWTs can be made more secure by encrypting the payload. Some sensitive APIs might do that but at the end of the day there has to be an agreement between the server and the client because the JWT has to be decrypted by the client in order to get the token needed for subsequent calls. So B2B would be the most common scenario for this.
Another approach might be to encrypt the JWT itself and send it back and forth to the server. This might be useful if the JWT contains sensitive data that the server needs but isn't able to map given just an access token. But technically you could do this with any payload.
As long as the access token is valid, then anyone can call an API if they have an access token. To make this a little more secure it is generally recommended that you keep the lifetime of an access token short. If you need a really secure environment then additional security might include whitelisting caller IPs, using X509 certificates and using an auth system that allows you to "invalidate" an access token before it expires. But all this requires additional coding beyond a basic JWT.