Become familiar with the sharp edges of JWTs.

JSON Web Tokens, or JWTs¹ for short, are self-contained tokens that are often used in the context of authentication and authorization. In this post, I will explain how JWTs work, what problems they are meant to solve, and common pitfalls to avoid when implementing a service that uses JWTs.

A Crash Course on JWTs

A JWT is just a JSON object, base64-encoded² and signed. They generally look like this:

eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk

After decoding each dot-separated section, we obtain the following:

{
"typ": "JWT",
"alg": "HS256"
}.{
"iss": "joe",
"exp": 1300819380,
"http://example.com/is_root": true
}.<some binary data>

The first section is the “JOSE header”, and contains metadata about…

Nevil Seong

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store