“JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.”
When to use JWT?
Authorization: This is the most common use of jwt. Everytime a user is logged in to the system, a token is generated to the subsequent user. This permits the user to have access to use the routes, services, and resources whenever he needs.
Information Exchange: JWts are a great way of securely transmitting data between two parties. As the jwts can be signed, for example using public/private keys of each user it is possible to identify whether the senders are people who they say they are. As the signature is calculated using header and a payload it is possible to verify that the content hasn’t been tampered with.
What is the JWT structure?
JWT consist of three parts separated by dots (.), which are:
Therefore, a JWT typically looks like the following.
Headers consist of type of token which is JWT, and the hashing algorithm such as HS256, HMAC, SHA256 or RSA.
Then, the above JSON is Base64Url encoded to form the first part of the JWT.
Payload contains claims which are the information about the entity
The JWT specification defines seven claims that can be included in a token. The registered name claims are:
You can also use private name claims which is used to convey identity related info such as name or category. When naming these, it is necessary to avoid name collisions because public and private claims are not registered.
An example of payload could be:
"name": "John Doe",
The payload is then Base64Url encoded to form the second part of the JSON Web Token.
This is made using the encoded headeer, encoded payload, secret, the algorithm specified in the header, and sign.
The below signature is created using the HMAC SHA256 algorithm.
base64UrlEncode(header) + "." +
You can use https://jwt.io/ whenever you want to check jwt tokens and see the connection between the header, payload, and the isgnature.