{"id":540,"date":"2025-05-09T22:38:47","date_gmt":"2025-05-09T19:38:47","guid":{"rendered":"https:\/\/hostvera.com.tr\/blog\/?p=540"},"modified":"2025-05-26T22:54:45","modified_gmt":"2025-05-26T19:54:45","slug":"json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2","status":"publish","type":"post","link":"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/","title":{"rendered":"JSON Web Token (JWT) ile API G\u00fcvenli\u011fi: Kurulum Rehberi"},"content":{"rendered":"\n<p><strong>JSON Web Token (JWT) ile API G\u00fcvenli\u011fi: Kurulum Rehberi<\/strong><\/p>\n\n\n\n<p><strong>Giri\u015f<\/strong><br>Modern web uygulamalar\u0131 ve mikroservis mimarilerinde API\u2019ler, istemci ile sunucu aras\u0131nda veri al\u0131\u015fveri\u015finin omurgas\u0131n\u0131 olu\u015fturur. Bu aray\u00fczlerin g\u00fcvenli\u011fini sa\u011flamak, yetkisiz eri\u015fimlerin \u00f6n\u00fcne ge\u00e7mek i\u00e7in kritik \u00f6neme sahiptir. Geleneksel oturum tabanl\u0131 kimlik do\u011frulama y\u00f6ntemleri, da\u011f\u0131t\u0131k sistemlerde \u00f6l\u00e7eklenebilirlik ve durum y\u00f6netimi problemleri yarat\u0131rken; JSON Web Token (JWT) tabanl\u0131 yakla\u015f\u0131m, stateless yap\u0131s\u0131yla hem performans hem de basitlik sunar. Bu rehberde, JWT\u2019nin ne oldu\u011funu, yap\u0131s\u0131n\u0131, kullan\u0131m senaryolar\u0131n\u0131, ad\u0131m ad\u0131m kurulumunu ve uygulamalarda entegrasyonunu ele alacak; token y\u00f6netimi, yenileme ve g\u00fcvenlik \u00f6nlemleri \u00fczerine detayl\u0131 \u00f6neriler payla\u015faca\u011f\u0131z.<\/p>\n\n\n\n<p><strong>1. JWT Nedir ve Neden Tercih Edilir?<\/strong><br>JSON Web Token, RFC 7519 standard\u0131 \u00e7er\u00e7evesinde tan\u0131mlanm\u0131\u015f, i\u00e7eri\u011finde kullan\u0131c\u0131 bilgileri ve ek meta veriler bar\u0131nd\u0131ran imzal\u0131 bir JSON yap\u0131s\u0131d\u0131r. Sunucu, ba\u015far\u0131l\u0131 bir kimlik do\u011frulama sonras\u0131 bu token\u2019\u0131 olu\u015fturur; istemci her API iste\u011finde, Authorization ba\u015fl\u0131\u011f\u0131nda bearer token format\u0131nda sunucuya iletir. Sunucu, imzay\u0131 do\u011frulayarak token\u2019\u0131n b\u00fct\u00fcnl\u00fc\u011f\u00fcn\u00fc ve ge\u00e7erlili\u011fini kontrol eder. JWT:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stateless (Durumsuz)<\/strong> bir y\u00f6ntem oldu\u011fundan sunucuda oturum bilgisi saklamaz,<\/li>\n\n\n\n<li><strong>Performans<\/strong> a\u00e7\u0131s\u0131ndan veritaban\u0131 veya cache sorgusu gerektirmez,<\/li>\n\n\n\n<li><strong>Esnek<\/strong> yap\u0131s\u0131yla \u00f6zel alanlar (claims) eklenip her uygulamaya uyarlanabilir,<\/li>\n\n\n\n<li><strong>\u00c7apraz dil ve platform deste\u011fi<\/strong> sunar (JavaScript, Python, Java, Go, .NET vb.).<\/li>\n<\/ul>\n\n\n\n<p>Bu \u00f6zellikler, mikroservisler aras\u0131 haberle\u015fmede ve mobil uygulamalarla entegrasyon senaryolar\u0131nda JWT\u2019yi ideal k\u0131lar.<\/p>\n\n\n\n<p><strong>2. JWT Yap\u0131s\u0131 ve Bile\u015fenleri<\/strong><br>Her JWT \u00fc\u00e7 par\u00e7adan olu\u015fur; nokta (.) ile ayr\u0131lm\u0131\u015f bu b\u00f6l\u00fcmler Base64URL format\u0131nda kodlan\u0131r:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Header (Ba\u015fl\u0131k):<\/strong> Token tipini (typ: &#8220;JWT&#8221;) ve kullan\u0131lan imza algoritmas\u0131n\u0131 (alg, \u00f6rn. HS256, RS256) belirtir.<\/li>\n\n\n\n<li><strong>Payload (Y\u00fck):<\/strong> Kullan\u0131c\u0131 kimli\u011fi (sub), token\u2019\u0131n olu\u015fturulma zaman\u0131 (iat), ge\u00e7erlilik s\u00fcresi (exp) ve uygulamaya \u00f6zel ek veri (\u00f6rne\u011fin role, tenantId) gibi claim\u2019leri i\u00e7erir.<\/li>\n\n\n\n<li><strong>Signature (\u0130mza):<\/strong> Header ve payload b\u00f6l\u00fcmlerinin gizli bir anahtar veya \u00f6zel anahtar ile HMAC veya RSA\/ECDSA algoritmalar\u0131 kullan\u0131larak imzalanmas\u0131yla \u00fcretilir.<\/li>\n<\/ol>\n\n\n\n<p>\u00d6rnek bir token:<\/p>\n\n\n\n<p>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9<\/p>\n\n\n\n<p>.<\/p>\n\n\n\n<p>eyJzdWIiOiIxMjM0NTYiLCJuYW1lIjoiSmFuZSBEb2UiLCJyb2xlIjoiYWRtaW4iLCJleHAiOjE2MzAwMDAwMDB9<\/p>\n\n\n\n<p>.<\/p>\n\n\n\n<p>HMACSHA256(base64UrlEncode(header) + &#8220;.&#8221; + base64UrlEncode(payload), secret)<\/p>\n\n\n\n<p><strong>3. Kullan\u0131m Senaryolar\u0131<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>RESTful API G\u00fcvenli\u011fi:<\/strong> Sunucu taraf\u0131nda stateless oturum y\u00f6netimi, y\u00fcksek trafikli servisler i\u00e7in ideal.<\/li>\n\n\n\n<li><strong>Mikroservis Haberle\u015fmesi:<\/strong> Servisler aras\u0131 talep do\u011frulamas\u0131 ve rol tabanl\u0131 eri\u015fim kontrolleri.<\/li>\n\n\n\n<li><strong>Mobil ve Tek Sayfa Uygulamalar (SPA):<\/strong> Taray\u0131c\u0131 veya mobil istemcide saklanan token sayesinde CORS sorunlar\u0131 minimuma iner.<\/li>\n\n\n\n<li><strong>Third-Party Entegrasyonlar:<\/strong> Webhook, partner API eri\u015fimleri gibi senaryolarda token tabanl\u0131 ge\u00e7ici eri\u015fim imk\u00e2n\u0131.<\/li>\n<\/ul>\n\n\n\n<p><strong>4. Kurulum Ad\u0131mlar\u0131: Genel Haz\u0131rl\u0131k<\/strong><br>JWT tabanl\u0131 g\u00fcvenlik katman\u0131n\u0131 uygulamak i\u00e7in:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>G\u00fcvenli Anahtar Y\u00f6netimi:<\/strong> HMAC algoritmas\u0131 kullanacaksan\u0131z uygulaman\u0131n konfig\u00fcrasyonunda gizli (secret) de\u011ferini saklay\u0131n. RSA veya ECDSA imzalar\u0131 tercih ediyorsan\u0131z \u00f6zel anahtar (private key) ve a\u00e7\u0131k anahtar (public key) \u00e7iftinizi olu\u015fturun; \u00f6zel anahtar\u0131 asla payla\u015f\u0131ma a\u00e7may\u0131n.<\/li>\n\n\n\n<li><strong>K\u00fct\u00fcphane Se\u00e7imi:<\/strong> Kulland\u0131\u011f\u0131n\u0131z platforma uygun, aktif olarak bak\u0131m g\u00f6ren JWT k\u00fct\u00fcphanelerini tercih edin (\u00f6rn. JavaScript i\u00e7in jsonwebtoken, Python i\u00e7in PyJWT, Java i\u00e7in jjwt veya nimbus-jose-jwt).<\/li>\n\n\n\n<li><strong>Zaman Senkronizasyonu:<\/strong> Token ge\u00e7erlilik s\u00fcreleri (exp) hassast\u0131r; sunucu saatinin NTP ile g\u00fcncel oldu\u011fundan emin olun.<\/li>\n\n\n\n<li><strong>G\u00fcvenlik Politikalar\u0131:<\/strong> Token boyutu, i\u00e7erdi\u011fi veri miktar\u0131, refresh mekanizmalar\u0131, imza algoritmas\u0131 se\u00e7imi gibi konulara karar verin. Genellikle HS256 yerine RS256 veya ES256 gibi asimetrik algoritmalar \u00f6nerilir.<\/li>\n<\/ol>\n\n\n\n<p><strong>5. Uygulamada JWT Olu\u015fturma ve Do\u011frulama<\/strong><\/p>\n\n\n\n<p><strong><em>Node.js \u00d6rne\u011fi (Express + jsonwebtoken)<\/em><\/strong><\/p>\n\n\n\n<p>const jwt = require(&#8220;jsonwebtoken&#8221;);<\/p>\n\n\n\n<p>const fs = require(&#8220;fs&#8221;);<\/p>\n\n\n\n<p>\/\/ Asimetrik imza i\u00e7in<\/p>\n\n\n\n<p>const privateKey = fs.readFileSync(&#8220;private.key&#8221;);<\/p>\n\n\n\n<p>const publicKey&nbsp; = fs.readFileSync(&#8220;public.key&#8221;);<\/p>\n\n\n\n<p>\/\/ Token olu\u015fturma<\/p>\n\n\n\n<p>function generateToken(user) {<\/p>\n\n\n\n<p>&nbsp; const payload = {<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; sub: user.id,<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; name: user.username,<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; role: user.role,<\/p>\n\n\n\n<p>&nbsp; };<\/p>\n\n\n\n<p>&nbsp; return jwt.sign(payload, privateKey, {<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; algorithm: &#8220;RS256&#8221;,<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; expiresIn: &#8220;2h&#8221;,<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; issuer: &#8220;my-api&#8221;,<\/p>\n\n\n\n<p>&nbsp; });<\/p>\n\n\n\n<p>}<\/p>\n\n\n\n<p>\/\/ Token do\u011frulama middleware\u2019i<\/p>\n\n\n\n<p>function authenticate(req, res, next) {<\/p>\n\n\n\n<p>&nbsp; const authHeader = req.headers.authorization;<\/p>\n\n\n\n<p>&nbsp; if (!authHeader) return res.sendStatus(401);<\/p>\n\n\n\n<p>&nbsp; const token = authHeader.split(&#8221; &#8220;)[1];<\/p>\n\n\n\n<p>&nbsp; jwt.verify(token, publicKey, { algorithms: [&#8220;RS256&#8221;], issuer: &#8220;my-api&#8221; }, (err, decoded) =&gt; {<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; if (err) return res.sendStatus(403);<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; req.user = decoded;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; next();<\/p>\n\n\n\n<p>&nbsp; });<\/p>\n\n\n\n<p>}<\/p>\n\n\n\n<p><strong><em>Python \u00d6rne\u011fi (Flask + PyJWT)<\/em><\/strong><\/p>\n\n\n\n<p>import jwt<\/p>\n\n\n\n<p>from datetime import datetime, timedelta<\/p>\n\n\n\n<p>from flask import request, jsonify<\/p>\n\n\n\n<p>PRIVATE_KEY = open(&#8220;private.pem&#8221;).read()<\/p>\n\n\n\n<p>PUBLIC_KEY&nbsp; = open(&#8220;public.pem&#8221;).read()<\/p>\n\n\n\n<p>def generate_token(user_id):<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; payload = {<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8220;sub&#8221;: user_id,<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8220;iat&#8221;: datetime.utcnow(),<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8220;exp&#8221;: datetime.utcnow() + timedelta(hours=2)<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; }<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; return jwt.encode(payload, PRIVATE_KEY, algorithm=&#8221;RS256&#8243;)<\/p>\n\n\n\n<p>def authenticate(f):<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; def wrapper(*args, **kwargs):<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auth = request.headers.get(&#8220;Authorization&#8221;, None)<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if not auth: return jsonify({&#8220;msg&#8221;: &#8220;Missing token&#8221;}), 401<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; token = auth.split()[1]<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; try:<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; decoded = jwt.decode(token, PUBLIC_KEY, algorithms=[&#8220;RS256&#8221;])<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; except jwt.ExpiredSignatureError:<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return jsonify({&#8220;msg&#8221;: &#8220;Token expired&#8221;}), 401<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; except jwt.InvalidTokenError:<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return jsonify({&#8220;msg&#8221;: &#8220;Invalid token&#8221;}), 403<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; request.user = decoded[&#8220;sub&#8221;]<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return f(*args, **kwargs)<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; return wrapper<\/p>\n\n\n\n<p><strong><em>Java \u00d6rne\u011fi (Spring Boot + jjwt)<\/em><\/strong><\/p>\n\n\n\n<p>KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.RS256);<\/p>\n\n\n\n<p>String createToken(String userId) {<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; return Jwts.builder()<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .setSubject(userId)<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .setIssuedAt(Date.from(Instant.now()))<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .setExpiration(Date.from(Instant.now().plus(2, ChronoUnit.HOURS)))<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .setIssuer(&#8220;my-api&#8221;)<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .signWith(keyPair.getPrivate())<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .compact();<\/p>\n\n\n\n<p>}<\/p>\n\n\n\n<p>Claims validateToken(String token) {<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; return Jwts.parserBuilder()<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .setSigningKey(keyPair.getPublic())<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .requireIssuer(&#8220;my-api&#8221;)<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .build()<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .parseClaimsJws(token)<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .getBody();<\/p>\n\n\n\n<p>}<\/p>\n\n\n\n<p><strong>6. Token Ya\u015fam D\u00f6ng\u00fcs\u00fc ve Yenileme<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Access Token<\/strong>: K\u0131sa \u00f6m\u00fcrl\u00fc (15m\u20132h) ve s\u0131k do\u011frulanan token.<\/li>\n\n\n\n<li><strong>Refresh Token<\/strong>: Uzun \u00f6m\u00fcrl\u00fc (7\u201330 g\u00fcn) token; access token\u2019\u0131n s\u00fcresi dolunca yeni bir access token olu\u015fturmak i\u00e7in kullan\u0131l\u0131r. Refresh token\u2019lar veritaban\u0131nda veya g\u00fcvenli saklama alan\u0131nda tutulmal\u0131; her kullan\u0131mda ge\u00e7ersizle\u015ftirilecek \u015fekilde dizayn edilmelidir.<\/li>\n\n\n\n<li><strong>Token Revocation<\/strong>: Blacklist (kara liste) sistemleri, \u00f6zellikle refresh token\u2019lar iptal edildi\u011finde hesab\u0131n b\u00fct\u00fcn aktif token\u2019lar\u0131n\u0131 ge\u00e7ersiz k\u0131lmak i\u00e7in gereklidir.<\/li>\n<\/ul>\n\n\n\n<p><strong>7. G\u00fcvenlik \u00d6nlemleri<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Asimetrik \u0130mzalar:<\/strong> HMAC\u2019a k\u0131yasla \u00f6zel\/halka a\u00e7\u0131k anahtar yap\u0131s\u0131, secret\u2019\u0131n istemci taraf\u0131na s\u0131zmas\u0131n\u0131 engeller.<\/li>\n\n\n\n<li><strong>exp<\/strong><strong> ve <\/strong><strong>iat<\/strong><strong> Claim\u2019leri:<\/strong> Token\u2019\u0131n ge\u00e7erlilik s\u00fcresini ve olu\u015fturulma zaman\u0131n\u0131 zorunlu tutun.<\/li>\n\n\n\n<li><strong>aud<\/strong><strong> ve <\/strong><strong>iss<\/strong><strong>:<\/strong> Hedef API ve token d\u00fczenleyiciyi do\u011frulamak i\u00e7in audience ve issuer claim\u2019lerini kullan\u0131n.<\/li>\n\n\n\n<li><strong>JTI (JWT ID):<\/strong> Her token\u2019a benzersiz bir ID atay\u0131p, tekrar kullan\u0131m veya replay ataklar\u0131na kar\u015f\u0131 \u00f6nlem al\u0131n.<\/li>\n\n\n\n<li><strong>CORS ve Secure Cookie Politikalar\u0131:<\/strong> Token\u2019\u0131 HTTP-only, Secure ve SameSite cookie olarak iletmek, XSS riskini azalt\u0131r. Alternatif olarak localStorage yerine Authorization ba\u015fl\u0131\u011f\u0131n\u0131 tercih edin.<\/li>\n\n\n\n<li><strong>Algoritma Sabitleme:<\/strong> Sunucu taraf\u0131nda sadece izin verdi\u011finiz algoritmalar\u0131 (RS256 gibi) kabul edin, alg: none sald\u0131r\u0131lar\u0131na kar\u015f\u0131 \u00f6nlem al\u0131n.<\/li>\n<\/ul>\n\n\n\n<p><strong>8. Performans ve \u00d6l\u00e7eklendirme<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stateless Do\u011frulama:<\/strong> Her istekte imza kontrol\u00fc yap\u0131l\u0131r; bu i\u015flem kriptografik maliyet do\u011furdu\u011fundan, y\u00fcksek trafikte CPU kullan\u0131m\u0131 artabilir. GPU h\u0131zland\u0131rma veya daha hafif algoritmalar (ES256) tercih edin.<\/li>\n\n\n\n<li><strong>Cache Layer:<\/strong> Sunucu taraf\u0131 do\u011frulama sonu\u00e7lar\u0131n\u0131 k\u0131sa s\u00fcreli \u00f6nbelle\u011fe alarak (\u00f6rn. Redis TTL ile), ayn\u0131 token i\u00e7in tekrarl\u0131 imza do\u011frulamas\u0131n\u0131 azaltabilirsiniz.<\/li>\n\n\n\n<li><strong>Token Boyutu:<\/strong> Payload\u2019a gereksiz veri eklemekten ka\u00e7\u0131n\u0131n; token\u2019\u0131 minimal bilgileri ta\u015f\u0131yacak \u015fekilde tasarlay\u0131n.<\/li>\n<\/ul>\n\n\n\n<p><strong>9. \u0130zleme ve Log Y\u00f6netimi<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ba\u015far\u0131l\u0131\/ba\u015far\u0131s\u0131z do\u011frulama say\u0131lar\u0131<\/strong>,<\/li>\n\n\n\n<li><strong>Expired token hatalar\u0131<\/strong>,<\/li>\n\n\n\n<li><strong>Blacklist kullan\u0131m\u0131 ve token iptal oran\u0131<\/strong>,<br>gibi metrikler izlenerek API g\u00fcvenlik durumu de\u011ferlendirilebilir. ELK, Prometheus veya managed log servisleri ile bu verileri toplay\u0131p dashboard olu\u015fturarak, anormalliklere h\u0131zla m\u00fcdahale edebilirsiniz.<\/li>\n<\/ul>\n\n\n\n<p><strong>10. En \u0130yi Uygulamalar<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Minimal Yetki (Least Privilege):<\/strong> Token i\u00e7indeki claim\u2019lerde sadece gerekli bilgileri tutun, rolleri net \u015fekilde ay\u0131r\u0131n.<\/li>\n\n\n\n<li><strong>S\u00fcrekli Anahtar Rotasyonu:<\/strong> Belirli d\u00f6nemlerde yeni anahtar \u00e7ifti olu\u015fturun, eski anahtarlar i\u00e7in grace period tan\u0131y\u0131p rotasyon yap\u0131n.<\/li>\n\n\n\n<li><strong>Rate Limiting:<\/strong> API u\u00e7 noktalar\u0131n\u0131z\u0131 korumak i\u00e7in token kullan\u0131m\u0131 bazl\u0131 h\u0131z s\u0131n\u0131rlay\u0131c\u0131 (rate limiting) kurallar\u0131 uygulay\u0131n.<\/li>\n\n\n\n<li><strong>Penetrasyon Testi ve G\u00fcvenlik Tarama:<\/strong> JWT implementasyonunuzu d\u00fczenli olarak OWASP ZAP, Burp Suite gibi ara\u00e7larla test edin.<\/li>\n\n\n\n<li><strong>Dok\u00fcmantasyon:<\/strong> Token format\u0131, claim listesi ve yenileme ak\u0131\u015f\u0131n\u0131 API dok\u00fcmantasyonunuzda a\u00e7\u0131k\u00e7a belirtin.<\/li>\n<\/ol>\n\n\n\n<p><strong>Sonu\u00e7<\/strong><br>JSON Web Token tabanl\u0131 API g\u00fcvenli\u011fi, stateless mimarisi, platform ba\u011f\u0131ms\u0131zl\u0131\u011f\u0131 ve performans avantajlar\u0131 ile modern uygulamalar\u0131n vazge\u00e7ilmezi haline geliyor. Do\u011fru imza algoritmas\u0131 se\u00e7imi, ya\u015fam d\u00f6ng\u00fcs\u00fc y\u00f6netimi, token yenileme stratejileri ve g\u00fc\u00e7l\u00fc keamanan \u00f6nlemleri uyguland\u0131\u011f\u0131nda, hem geli\u015ftirici deneyimi hem de servis g\u00fcvenilirli\u011fi \u00fcst seviyelere ta\u015f\u0131nabilir. Bu rehberde payla\u015f\u0131lan ad\u0131mlar\u0131 takip ederek, JWT\u2019yi altyap\u0131n\u0131za entegre edebilir, API\u2019lerinizde hem \u00f6l\u00e7eklenebilir hem de dayan\u0131kl\u0131 bir kimlik do\u011frulama katman\u0131 olu\u015fturabilirsiniz.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>JSON Web Token (JWT) ile API G\u00fcvenli\u011fi: Kurulum Rehberi Giri\u015fModern web uygulamalar\u0131 ve mikroservis mimarilerinde API\u2019ler, istemci ile sunucu aras\u0131nda veri al\u0131\u015fveri\u015finin omurgas\u0131n\u0131 olu\u015fturur. Bu aray\u00fczlerin g\u00fcvenli\u011fini sa\u011flamak, yetkisiz eri\u015fimlerin \u00f6n\u00fcne ge\u00e7mek i\u00e7in kritik \u00f6neme sahiptir. Geleneksel oturum tabanl\u0131 kimlik do\u011frulama y\u00f6ntemleri, da\u011f\u0131t\u0131k sistemlerde \u00f6l\u00e7eklenebilirlik ve durum y\u00f6netimi problemleri yarat\u0131rken; JSON Web Token (JWT) tabanl\u0131 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ub_ctt_via":"","footnotes":""},"categories":[76],"tags":[],"class_list":["post-540","post","type-post","status-publish","format-standard","hentry","category-web-guvenligi-ve-ssl-sertifikalari-rehberi"],"featured_image_src":null,"author_info":{"display_name":"admin","author_link":"https:\/\/hostvera.com.tr\/blog\/author\/hostvera\/"},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>JWT ile API G\u00fcvenli\u011fi: Kurulum ve En \u0130yi Uygulamalar<\/title>\n<meta name=\"description\" content=\"API g\u00fcvenli\u011fi i\u00e7in JWT ile kurulum, ya\u015fam d\u00f6ng\u00fcs\u00fc y\u00f6netimi, g\u00fcvenlik \u00f6nlemleri ve en iyi uygulamalar\u0131 ke\u015ffedin.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/\" \/>\n<meta property=\"og:locale\" content=\"tr_TR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"JWT ile API G\u00fcvenli\u011fi: Kurulum ve En \u0130yi Uygulamalar\" \/>\n<meta property=\"og:description\" content=\"API g\u00fcvenli\u011fi i\u00e7in JWT ile kurulum, ya\u015fam d\u00f6ng\u00fcs\u00fc y\u00f6netimi, g\u00fcvenlik \u00f6nlemleri ve en iyi uygulamalar\u0131 ke\u015ffedin.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/\" \/>\n<meta property=\"og:site_name\" content=\"Hostvera Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-09T19:38:47+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-26T19:54:45+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Yazan:\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tahmini okuma s\u00fcresi\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 dakika\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/hostvera.com.tr\/blog\/#\/schema\/person\/6c57309574bd96c475d33fa49017c3d6\"},\"headline\":\"JSON Web Token (JWT) ile API G\u00fcvenli\u011fi: Kurulum Rehberi\",\"datePublished\":\"2025-05-09T19:38:47+00:00\",\"dateModified\":\"2025-05-26T19:54:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/\"},\"wordCount\":1729,\"publisher\":{\"@id\":\"https:\/\/hostvera.com.tr\/blog\/#organization\"},\"articleSection\":[\"Web G\u00fcvenli\u011fi ve SSL Sertifikalar\u0131 Rehberi\"],\"inLanguage\":\"tr\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/\",\"url\":\"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/\",\"name\":\"JWT ile API G\u00fcvenli\u011fi: Kurulum ve En \u0130yi Uygulamalar\",\"isPartOf\":{\"@id\":\"https:\/\/hostvera.com.tr\/blog\/#website\"},\"datePublished\":\"2025-05-09T19:38:47+00:00\",\"dateModified\":\"2025-05-26T19:54:45+00:00\",\"description\":\"API g\u00fcvenli\u011fi i\u00e7in JWT ile kurulum, ya\u015fam d\u00f6ng\u00fcs\u00fc y\u00f6netimi, g\u00fcvenlik \u00f6nlemleri ve en iyi uygulamalar\u0131 ke\u015ffedin.\",\"breadcrumb\":{\"@id\":\"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/#breadcrumb\"},\"inLanguage\":\"tr\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Anasayfa\",\"item\":\"https:\/\/hostvera.com.tr\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"JSON Web Token (JWT) ile API G\u00fcvenli\u011fi: Kurulum Rehberi\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/hostvera.com.tr\/blog\/#website\",\"url\":\"https:\/\/hostvera.com.tr\/blog\/\",\"name\":\"Hostvera Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/hostvera.com.tr\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/hostvera.com.tr\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"tr\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/hostvera.com.tr\/blog\/#organization\",\"name\":\"Hostvera Blog\",\"url\":\"https:\/\/hostvera.com.tr\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"tr\",\"@id\":\"https:\/\/hostvera.com.tr\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/hostvera.com.tr\/blog\/wp-content\/uploads\/2025\/03\/cropped-2.png\",\"contentUrl\":\"https:\/\/hostvera.com.tr\/blog\/wp-content\/uploads\/2025\/03\/cropped-2.png\",\"width\":202,\"height\":42,\"caption\":\"Hostvera Blog\"},\"image\":{\"@id\":\"https:\/\/hostvera.com.tr\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.instagram.com\/hostvera.com.tr\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/hostvera.com.tr\/blog\/#\/schema\/person\/6c57309574bd96c475d33fa49017c3d6\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"tr\",\"@id\":\"https:\/\/hostvera.com.tr\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/1ec72e2ddf8b63780dee78d237a8e7f84e08225f7f92ecede4cbdd2f9d8d156f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/1ec72e2ddf8b63780dee78d237a8e7f84e08225f7f92ecede4cbdd2f9d8d156f?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"description\":\"Hostvera\",\"sameAs\":[\"https:\/\/hostvera.com.tr\/blog\"],\"url\":\"https:\/\/hostvera.com.tr\/blog\/author\/hostvera\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"JWT ile API G\u00fcvenli\u011fi: Kurulum ve En \u0130yi Uygulamalar","description":"API g\u00fcvenli\u011fi i\u00e7in JWT ile kurulum, ya\u015fam d\u00f6ng\u00fcs\u00fc y\u00f6netimi, g\u00fcvenlik \u00f6nlemleri ve en iyi uygulamalar\u0131 ke\u015ffedin.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/","og_locale":"tr_TR","og_type":"article","og_title":"JWT ile API G\u00fcvenli\u011fi: Kurulum ve En \u0130yi Uygulamalar","og_description":"API g\u00fcvenli\u011fi i\u00e7in JWT ile kurulum, ya\u015fam d\u00f6ng\u00fcs\u00fc y\u00f6netimi, g\u00fcvenlik \u00f6nlemleri ve en iyi uygulamalar\u0131 ke\u015ffedin.","og_url":"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/","og_site_name":"Hostvera Blog","article_published_time":"2025-05-09T19:38:47+00:00","article_modified_time":"2025-05-26T19:54:45+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Yazan:":"admin","Tahmini okuma s\u00fcresi":"7 dakika"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/#article","isPartOf":{"@id":"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/"},"author":{"name":"admin","@id":"https:\/\/hostvera.com.tr\/blog\/#\/schema\/person\/6c57309574bd96c475d33fa49017c3d6"},"headline":"JSON Web Token (JWT) ile API G\u00fcvenli\u011fi: Kurulum Rehberi","datePublished":"2025-05-09T19:38:47+00:00","dateModified":"2025-05-26T19:54:45+00:00","mainEntityOfPage":{"@id":"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/"},"wordCount":1729,"publisher":{"@id":"https:\/\/hostvera.com.tr\/blog\/#organization"},"articleSection":["Web G\u00fcvenli\u011fi ve SSL Sertifikalar\u0131 Rehberi"],"inLanguage":"tr"},{"@type":"WebPage","@id":"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/","url":"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/","name":"JWT ile API G\u00fcvenli\u011fi: Kurulum ve En \u0130yi Uygulamalar","isPartOf":{"@id":"https:\/\/hostvera.com.tr\/blog\/#website"},"datePublished":"2025-05-09T19:38:47+00:00","dateModified":"2025-05-26T19:54:45+00:00","description":"API g\u00fcvenli\u011fi i\u00e7in JWT ile kurulum, ya\u015fam d\u00f6ng\u00fcs\u00fc y\u00f6netimi, g\u00fcvenlik \u00f6nlemleri ve en iyi uygulamalar\u0131 ke\u015ffedin.","breadcrumb":{"@id":"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/#breadcrumb"},"inLanguage":"tr","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/hostvera.com.tr\/blog\/json-web-token-jwt-ile-api-guvenligi-kurulum-rehberi-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Anasayfa","item":"https:\/\/hostvera.com.tr\/blog\/"},{"@type":"ListItem","position":2,"name":"JSON Web Token (JWT) ile API G\u00fcvenli\u011fi: Kurulum Rehberi"}]},{"@type":"WebSite","@id":"https:\/\/hostvera.com.tr\/blog\/#website","url":"https:\/\/hostvera.com.tr\/blog\/","name":"Hostvera Blog","description":"","publisher":{"@id":"https:\/\/hostvera.com.tr\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hostvera.com.tr\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"tr"},{"@type":"Organization","@id":"https:\/\/hostvera.com.tr\/blog\/#organization","name":"Hostvera Blog","url":"https:\/\/hostvera.com.tr\/blog\/","logo":{"@type":"ImageObject","inLanguage":"tr","@id":"https:\/\/hostvera.com.tr\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/hostvera.com.tr\/blog\/wp-content\/uploads\/2025\/03\/cropped-2.png","contentUrl":"https:\/\/hostvera.com.tr\/blog\/wp-content\/uploads\/2025\/03\/cropped-2.png","width":202,"height":42,"caption":"Hostvera Blog"},"image":{"@id":"https:\/\/hostvera.com.tr\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.instagram.com\/hostvera.com.tr\/"]},{"@type":"Person","@id":"https:\/\/hostvera.com.tr\/blog\/#\/schema\/person\/6c57309574bd96c475d33fa49017c3d6","name":"admin","image":{"@type":"ImageObject","inLanguage":"tr","@id":"https:\/\/hostvera.com.tr\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/1ec72e2ddf8b63780dee78d237a8e7f84e08225f7f92ecede4cbdd2f9d8d156f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1ec72e2ddf8b63780dee78d237a8e7f84e08225f7f92ecede4cbdd2f9d8d156f?s=96&d=mm&r=g","caption":"admin"},"description":"Hostvera","sameAs":["https:\/\/hostvera.com.tr\/blog"],"url":"https:\/\/hostvera.com.tr\/blog\/author\/hostvera\/"}]}},"_links":{"self":[{"href":"https:\/\/hostvera.com.tr\/blog\/wp-json\/wp\/v2\/posts\/540","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hostvera.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hostvera.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hostvera.com.tr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hostvera.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=540"}],"version-history":[{"count":1,"href":"https:\/\/hostvera.com.tr\/blog\/wp-json\/wp\/v2\/posts\/540\/revisions"}],"predecessor-version":[{"id":541,"href":"https:\/\/hostvera.com.tr\/blog\/wp-json\/wp\/v2\/posts\/540\/revisions\/541"}],"wp:attachment":[{"href":"https:\/\/hostvera.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hostvera.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=540"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hostvera.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}