Web Development

So what the heck is JWT or JSON Web Token?

If you have worked on API authentication, then usual practice to create a unique hash for a client, store it in the database and verify that hash (present in cookie, head, or body of the request) against the incoming requests every single time. That means, we have to make a database query every single time client is accessing the restricted area for authentication. That’s not good for performance and user experience.

Hence, JWT was invented. It works in the same way I have explained above, except for the database query part. JWT or JSON Web Token is a string that is sent in the HTTP request (from client to server) to validate the authenticity of the client. But now, you don’t have to save JWT in the database. Instead, you save it on the client-side only.

JWT is created with a secret key and that secret key is private to you which means you will never reveal that to the public or inject inside the JWT token. When you receive a JWT from the client, you can verify that JWT with this that secret key stored on the server. Any modification to the JWT will result in verification (JWT validation) failure.

A JWT is simply a string but it contains three distinct parts separated with dots (.).

var HEADER_HASH = base64(header);
var PAYLOAD_HASH =…