Skip to content

Introduction

JSON Web Token (JWT) is an open standard for securely transmitting information as a JSON object between parties. JWTs consist of three parts: a header, a payload, and a signature. The header contains information about the token type and the algorithm used to generate the signature. The payload contains the transmitted information, such as user data or authorization claims.

The signature is generated using a secret key known only to the token issuer to verify that the token has not been tampered with. JWTs are commonly used for authentication and authorization purposes in web applications, APIs, and mobile apps and are often used in place of traditional session-based authentication methods. Because they are self-contained and can be verified without needing to access a database or other external resources, JWTs are often considered a more scalable and secure alternative to traditional authentication methods.

JWT Token

JSON Web Token (JWT) is one of the most popular authentication methods used today for authentication. A JSON Web Token is a self-contained method to transmit data between two entities using the JSON format, which can be trusted because each JWT can be digitally signed.

A JSON Web Token consists of three parts separated by dots that represent a Header, Payload and Signature, respectively, for example:

header.payload.signature The JWT header usually consist of two parts, the algorithm and the type of token, which is then encoded using Base64.

{
    "alg": "HS256",
    "typ": "JWT"
}

The JWT Payload consists of the data with three types of data claims, Registered, Public and Private. The subject (sub) must be scoped either locally or globally and is like anID for the JWT. If you see a field exp, this is an abbreviation for the expiration time, ensuring that the current date and time are before the token expiration. Again all of this is encoded using Base64.

{
    "sub": "cffc8709-7570-453e-8ccd-88ca3d668fc5",
    "name": "John Doe",
    "first_name": "John",
    "last_name": "Doe",
    "email": jdoe@email.com",
    "is_admin": true
}

The JWT Signature gets created by using the algorithm in the header to hash the encoded header and encoded payload with a secret. The secret is saved on the server side that the client does not have access to.

HMACSHA256(
    base64UrlEncode(header) + "." + base64UrlEncode(payload), secret
)

The best way to get a better understanding of a JWT token is to experiment. Here is a great tool for doing just that. Go to https://jwt.io/. You can copy and play with the following JWT token here:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJjZmZjODcwOS03NTcwLTQ1M2UtOGNjZC04OGNhM2Q2NjhmYzUiLCJuYW1lIjoiSm9obiBEb2UiLCJmaXJzdF9uYW1lIjoiSm9obiIsImxhc3RfbmFtZSI6IkRvZSIsImVtYWlsIjoiamRvZUBlbWFpbC5jb20iLCJpc19hZG1pbiI6dHJ1ZX0.cWNO-WpQJnKwVLWmnAbp_OdiKogX4tj6WnLCJmZS5JA