JSON Web Token (JWT) defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs are commonly used to represent claims between two parties, such as an identity token or an access token, and are widely used in web applications for authentication and authorization purposes. JSON Web Tokens lets you decode and manipulate JSON web tokens on the fly, check their validity, and automate common attacks.
How does JWT work?
JWT works just like any other token-based auth strategy and the only difference is how the token is generated.
Characteristics of the token
The token is just a normal URL-safe String and can be passed to the server in the header, body, or URL.
The token is self-contained i.e. carries the data. Anyone can view the content.
A JWT consists of three parts, separated by dots:
XXXXXXXXXX . YYYYYYYYYY. ZZZZZZZZZZ
header payload signature
Header:
The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
Example Header:
{
"alg": "HS256",
"typ": "JWT"
}
Payload:
The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims. Registered claims include predefined keys such as “iss” (issuer), “sub” (subject), “exp” (expiration time), “aud” (audience), and more. Public claims are defined by the application but should be used with caution to avoid naming collisions. Private claims are custom claims used to share information between parties that agree on using them.
Example Payload:
{
"sub": "user123",
"name": "John Doe",
"admin": true
}
Signature:
The signature is created by combining the encoded header, encoded payload, and a secret key (for HMAC algorithms) or a private key (for RSA algorithms). The signature is used to verify that the token was not tampered with during transmission and that the sender is who they claim to be.
The three parts are then concatenated with dots to form the JWT:
header.base64urlEncoded + "." + payload.base64urlEncoded + "." + signature.base64urlEncoded
When a JWT is sent to the server, the server can validate its authenticity and extract the claims to perform actions like user authentication or authorization.
JWTs have gained popularity due to their simplicity, compactness, and portability. They can be easily transmitted as URL parameters, in an HTTP header, or as a part of a cookie. However, it’s essential to use proper security measures and protect the JWT from unauthorized access, as the payload data is encoded but not encrypted. To enhance security, you should also use HTTPS for transmitting JWTs.
Imagine you have a special box called a JWT. Inside this box are three parts: a header, a payload, and a signature.
The header is like the label on the outside of the box. It tells us what type of box it is and how it’s secured. It’s usually written in a format called JSON, which is just a way to organize information using curly braces ‘{ }’ and colons ‘:’.
The payload is like the actual message or information you want to send. It could be your name, age, or any other data you want to share. It’s also written in JSON format, so it’s easy to understand and work with.
Now, the signature is what makes the JWT secure. It’s like a special seal only the sender knows how to create. The signature is created using a secret code, kind of like a password. This signature ensures that nobody can tamper with the contents of the JWT without the sender knowing about it.
When you want to send the JWT to a server, you put the header, payload, and signature inside the box. Then you send it over to the server. The server can easily read the header and payload to understand who you are and what you want to do.