Use JWT (JWS) for authentication

Randil Fernando
Mar 17, 2018 · 4 min read

JSON Web Tokens (JWT)

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

Parts of a JWT


“alg”: “HS256”,
“typ”: “JWT”


“sub”: “1234567890”,
“name”: “John Doe”,
“admin”: true


base64UrlEncode(header) + "." +

Putting all together


Other token types

Token based authentication workflow

Token generation (Authentication server)

Token Read (Client)

Token Validation (Application server)

Symmetric (Shared key)

Asymmetric (Private/public key)

Randil Fernando

Written by

Undergraduate, Department of Computer Science and Engineering, University of Moratuwa.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade