Sure. JWT will make a lot of sense more than poor man’s auth if you have the bandwidth.
Few thing to be taken care of / answered:
- Who is issuing the JWT? The App or the DB? Who will sign it?
- What will be the revoking mechanism if JWT is compromised before expiry?
- Will it be a perpetual token or will there be a refresh mechanism?
- Are you aiming for stateless auth with Dgraph or will the token be persisted in the DB (since the DB has state anyways)?
- How will nodes in a Dgraph Setup multiple alphas, zeros and ratel authenticate within themselves? Will they use JWT too?
JWT is a great way to go forward. Since Dgraph stores user data, security must be the top priority more than anything else and would definitely be everyone’s concern, so taking all the precautions is good.