Access Tokens are JWTs

10 months ago

Bearer Access Tokens that are issued upon successful auth (the result of a `/token` endpoint call) are now JWTs. The only thing that is stored in the pay-api database related to JWTs are the key ids themselves to check for token expiration (the result of a `/disconnect` endpoint call), which is a fragment of the JWT and not enough itself to make an api call were the database to be compromised. You may read about JWTs here:

pay-api takes your data security and privacy seriously and this change highlights that as much as possible, pay-api is blind to the underlying data.