At Guardian, JSON Web Tokens are used as OAuth 2.0 tokens while requesting access to protected resources, such as APIs. Guardian authorization severs generate the JWT after successfully authenticating and authorizing a client App. These apps identify themselves using an API key and secret along with some additional attributes. This token is signed by the Guardian issuer/authorization server using a private key. These tokens are used as short lived bearer token, which means the bearer of the token will be able to get access to the requested data when they present it to the authorization server, hence it is important to ensure this token is protected and securely stored. A compromised token can be revoked by the authorization server. To provide maximum security, it is important to ensure these tokens have a short life, typically 30mins.