Glossary

JWT

TL;DR

JWT (JSON Web Token) is an open standard for securely transmitting information between parties as a JSON object, commonly used for authentication and authorization in web applications.


Concept

JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs are digitally signed using a secret (with HMAC algorithm) or a public/private key pair (with RSA or ECDSA).

Key components and concepts of JWT include:

  1. Header: Contains metadata about the token, including the signing algorithm (e.g., HMAC SHA256 or RSA) and token type (JWT).

  2. Payload: Contains the claims, which are statements about an entity (typically the user) and additional data. There are three types of claims:

    • Registered claims: Predefined claims such as iss (issuer), exp (expiration time), sub (subject)
    • Public claims: Custom claims defined by applications
    • Private claims: Custom claims agreed upon between parties
  3. Signature: Created by combining the encoded header, encoded payload, a secret, and the algorithm specified in the header to verify the token’s integrity.

The structure follows the format: xxxxx.yyyyy.zzzzz where each part is Base64Url encoded and separated by dots.

JWTs are commonly used for:

  • Authentication: After user login, subsequent requests include the JWT, allowing access to routes, services, and resources permitted with that token
  • Information Exchange: Securely transmitting information between parties with verification that the sender is who they say they are

Benefits of JWT include:

  • Stateless: No need to store session information on the server
  • Cross-Domain: Can be used across different domains
  • Mobile-Friendly: Works well with mobile applications
  • Self-Contained: Contains all necessary user information

Organizations use JWT for implementing token-based authentication systems, single sign-on (SSO) solutions, and secure API access. It’s particularly popular in modern web applications and microservices architectures where stateless authentication is preferred.