Access token

Context

You have applied the [[Microservice architecture]] and [[API Gateway]] patterns. The application consists of numerous services. The [[API gateway]] is the single entry point for client requests. It authenticates requests, and forwards them to other services, which might in turn invoke other services.

Problem

How to communicate the identity of the requestor to the services that handle the request?

Forces

Services often need to verify that a user is authorized to perform an operation

Solution

The [[API Gateway]] authenticates the request and passes an access token (e.g. JSON Web Token) that securely identifies the requestor in each request to the services. A service can include the access token in requests it makes to other services.

Example

See JSON Web Token for usage examples and supporting libraries.

Resulting context

This pattern has the following benefits:

The identity of the requestor is securely passed around the system.
Services can verify that the requestor is authorized to perform an operation

The [[API Gateway]] uses this pattern.

PreviousCommand Query Responsibility Segregation (CQRS)NextAggregate

Last updated 1 year ago