JSON Web Tokens, or JWTs¹ for short, are self-contained tokens that are often used in the context of authentication and authorization. In this post, I will explain how JWTs work, what problems they are meant to solve, and common pitfalls to avoid when implementing a service that uses JWTs.
A JWT is just a JSON object, base64-encoded² and signed. They generally look like this:
After decoding each dot-separated section, we obtain the following:
}.<some binary data>
The first section is the “JOSE header”, and contains metadata about…