ClubhouseAPI icon indicating copy to clipboard operation
ClubhouseAPI copied to clipboard

Published 20 hours ago verified publisher icon zhuowei

Not an Issue: A question about JWT

Open saurabsalhotra opened this issue 4 years ago • 3 comments

After Authenticating we get three tokens -Auth_token -refersh_token -access_token

Auth_token works everywhere.

But using Bearer <Access_Token> for say /get_profile route yields an error message. Simillar for most other routes. Following is the error message.

{
    "detail": "Given token not valid for any token type",
    "code": "token_not_valid",
    "messages": [
        {
            "token_class": "AccessToken",
            "token_type": "access",
            "message": "Token is invalid or expired"
        }
    ]
}

However the /me route accepts the Bearer <Access_Token> !!

I'm sorry if this is a noob question, I don't intend to waste anyone's time but Auth_Token doesn't seem to be a JWT.

What is the auth_token and why is the app rejecting the JWT for most of its routes?

is auth_token actually an api key?

Again sorry for the noobness of this question.

saurabsalhotra avatar Feb 09 '21 19:02 saurabsalhotra

I have no idea: I've only used the Token <auth_token> auth so far. I recommend not to use the JWT auth since the actual app doesn't use it yet.

I think Clubhouse is migrating from auth_token to JWT (access_token, refresh_token). The actual app, as of 0.2.15, only used auth_token, not the JWTs.

I think I only tested using the JWT tokens on like one API, so maybe they only added support for /me?

Also, have you tried getting a new JWT access token via /refresh_token?

(This is not a noob question: I have no idea how this works either!)

zhuowei avatar Feb 09 '21 20:02 zhuowei

Yes I did hit the refresh token route and it gives me a new access token.

Infact, every time you hit the /me route it returns an updated body and signature of the refresh_token and access_token.

funny thing is, even if i hit /me ten times and get new access tokens each time, I can still authenticate with an older access token.

however if I hit refresh access token then all older tokens become invalid.

I'm new to JWT, but i think thats how it should work.

Another noob question: Isn't Auth_token same as Api key?

saurabsalhotra avatar Feb 09 '21 22:02 saurabsalhotra

I don't think Clubhouse's API has an API key (something that's shared between all requests); the auth token is specific to one user.

zhuowei avatar Feb 09 '21 22:02 zhuowei