# Token in ONEWEB

ONEWEB provides secure access to its REST services through the use of **JWT (JSON Web Token)**.\
All API interactions—especially those involving **EAF‑REST APIs**—require a valid token to ensure that only authenticated and authorized clients can access protected resources.

This token‑based mechanism forms a core part of ONEWEB’s **security and compliance model** for API communication.

***

### Purpose of Token‑Based Security

Token‑based authentication in ONEWEB is designed to:

* Secure REST API access without exposing user credentials repeatedly
* Enable stateless authentication between client and server
* Protect APIs used for CRUD operations and system integration
* Support auditability and access control
* Align with modern security standards (JWT)

***

### Overview of EAF‑REST API Security

The **EAF‑REST API** allows clients to interact with ONEWEB using:

* HTTP / HTTPS
* JSON (JavaScript Object Notation) payloads

All client requests **must include an Authorization token** in the HTTP header.

<figure><img src="https://2015371994-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMpDjHWFRUtZ5nJcSfVXd%2Fuploads%2FpeG9L44sNk0N7dgCdOFC%2Fimage.png?alt=media&#x26;token=d59aca77-fb71-4f8f-b71d-54f339567d3c" alt=""><figcaption></figcaption></figure>

*Figure: Sequence of client–server interaction using token authentication*

***

### Authentication and Token Lifecycle

The token workflow in ONEWEB follows a clear and secure sequence.

***

#### Step 1: Client Requests Login

The client authenticates by sending user credentials to the **login endpoint**.

**Login URL**

```
http://<IP Address>:<Port>/eaf-rest/login
```

**HTTP Method**

```
POST
```

**Request Body (JSON Example)**

```
{
    "username": "User Name",
    "password": "Password",
    "ldapproviderurl": "",
    "clientId": "C00292818"
}
```

> **Note:**\
> `clientId` is a client‑generated unique identifier used to identify the requesting application.

***

#### Step 2: Server Generates JWT Token

After successful authentication:

* ONEWEB creates a **JWT payload**
* The payload includes identity and validity information
* The payload is digitally signed by the server

This token represents the authenticated session.

***

#### Step 3: Server Returns Token to Client

**Example Response**

```
{
    "timestamp": "1510363014419",
    "validity": 86400,
    "id_token": "eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJkbXBzeXN0ZW0iLCJjbGllbnRJZCI6ImFiYyIsImV4cCI6MTUxMTIyNzAxNCwiaXNzIjoiY29tLmF2YWxhbnQuand0In0.UXR5LbqWruWy3rJur2Lx2E1nfI73JX3QBQXA4c2u2_CTSSzceRRMyziGevhtRe16AzAgZGKhny3PdfNltIT5Hw"
}
```

**Response Field Explanation**

* **timestamp**\
  Time when the token was generated (server time)
* **validity**\
  Token lifespan in seconds

  > Default validity in ONEWEB 4.0 = **1 day**
* **id\_token**\
  The JWT token used by the client for authorization

Token expiration is calculated using:

```
expiration = timestamp + validity
```

***

### Using the Token in API Requests

Once issued, the client must attach the token to **every API request**.

#### Required HTTP Header

```
Authorization: Bearer <id_token>
```

This header is mandatory for all protected REST APIs.

***

### Server‑Side Token Validation

When the server receives a request:

1. The JWT **signature is verified**
2. The **expiration time** is checked
3. Token integrity and issuer are validated

* If valid → Request is processed
* If invalid or expired → Request is rejected

This ensures that:

* Only authenticated clients can access APIs
* Expired or tampered tokens are blocked

***

### Server Sends Response to Client

After successful validation and processing:

* The server executes the requested operation
* A response is returned to the client in JSON format

***

### Security & Compliance Considerations

Token‑based security in ONEWEB supports compliance and best practices by:

* Avoiding repeated transmission of credentials
* Providing traceable authentication events
* Enabling stateless and scalable API security
* Supporting integration with modern IAM mechanisms

**Recommended practices**

* Always use **HTTPS**
* Protect tokens in client applications
* Do not store tokens in plain text
* Rotate or revoke tokens when credentials change

***

### Summary

**JWT‑based tokens** are the foundation of secure API communication in ONEWEB.

Key points:

* EAF‑REST APIs require token authentication
* Tokens are generated after successful login
* Clients must include the token in every request
* Servers validate token integrity and expiration
* Token‑based security enables scalable and compliant integrations

This mechanism ensures that ONEWEB APIs remain **secure, auditable, and enterprise‑ready**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onewebstack.com/building-apps/security-and-compliance/token-in-oneweb.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.