Changes in the Azure Mobile Services JWT Token

When you authenticate with your Mobile Service using SDK, the server backend issues a Json Web Token (JWT) to the client. The client subsequently sends this token with each request to the server. Four months ago we changed the structure of the JWT we issue and increased its version to 2. We still accept version 1 tokens and will continue to do so for a while. However, we ask that customers building their own JWT for custom authentication please update their code to support the new format as soon as possible.

Note: If you are not creating a JWT yourself for authenticating with Mobile Services, then you are not affected by this change.  

The change is summarized as follows:

1. The version claim has been updated from "1" to "2"
2. We previously accepted the "kid" claim as an integer zero. The value should now be the string "0" instead.
3. The "urn:microsoft:credentials" claim has changed shape. This is an optional claim and the change has no impact if you are not using it. The new version takes an object containing the access token, as shown below.

 'urn:microsoft:credentials': {
 accessToken: ‘defghijk’
 }

If you have any questions, please contact us at mobileservices@microsoft.com, and we will be happy to help.