JWT, or JSON Web Token is a way to transfer sensitive information securely in the widely-accepted JSON format. The contained information could be about the user, or about the token itself, such as its expiry and issuer.

On the other hand, an opaque token, as the name suggests, is opaque in terms of the information it carries. The token is just an identifier that points to the information stored at the authorization server – it gets validated via introspection at the server’s end.

• Model – the resource to protect
• API – a REST controller to expose the resource
• Security Configuration – a class to define access control for the protected resource that the API exposes
• application.yml – a config file to declare properties, including information about the authorization server