I'm using JWTAuth to create tokens for my API.
I saw that at the time of the request I can send the token in the header or via param.
I understand that by sending via the header the token accompanies the request in a "transparent" way, resulting in a more friendly appearance.
However, apart from the appearance of the request, is there any other reason why I should choose between one form or another?
Any differences in performance? Or a greater fragility in security? For example.
In practice, nothing prevents you from passing the token through the header, request body or query string.
According to RFC7519 the token submission standard is through the Authorization Header or query string (ex: accessToken = my-token).
Then:
However, apart from the appearance of the request, is there any other reason why I should choose between one form or another?
Choose the default setting for other developers to maintain your system or do some integration so you do not have to guess where the token is being sent.
Any differences in performance? Or a greater fragility in security?
No difference in performance. For security, guarantee a strong secret key for token signing, do not put sensitive data in the payload and also use SSL in your api.
