Best Practice handling user data with JWT

Question

I'm implementing stateless REST API via Json Web Tokens (JWT). At the moment, I'm wondering what is the best approach to pass the user data to the front end. Those are the fields I would need to access on the front-end username, email, role, full_name, description, profile_img, facebook_id, twitter_id, custom_setting_1, custom_setting_2, custom_setting_3, custom_setting_4

There are 2 options that I see:

1. During the JWT creation add the user data to the JWT payload. And then decode it on the front end. Though I'm worried if I add all the data that the payload will get quite large.
2. I can add only unchangeable fields like username, role to JWT. After the JWT is created and returned to the front-end, I send another request for the user data from the API.

I might be missing something here as well. So wondering what is the best approach handling the user data with JWT.

Answer 1

Once you are using JWT for authentication purposes (I understand your server is generating an authentication token that the client needs to send to the server in every request), there's not point in including all of those details in the token.

Your second approach makes much more sense:

I can add only unchangeable fields like username, role to JWT. After the JWT is created and returned to the front-end, I send another request for the user data from the API.

Keep your JWT lean and perform another request to have the user details.

For more information on how to design the URL to return the authenticated user details, check below:

• How to design URL to return data from the current user in a REST API?
• Is using magic (me/self) resource identifiers going against REST principles?