JSON Web Tokens (JWT)

JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. Here's an example of a JWT and a breakdown of its components.

Example JWT

A JWT consists of three parts: the header, the payload, and the signature. These parts are encoded as Base64Url strings and separated by dots (.). Here is an example of a JWT:

Breakdown of the JWT

1. Header

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

Example header:

When Base64Url encoded, this header becomes:

2. Payload

The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private.

Example payload:

• sub (subject): Identifier for the user.
• name: Name of the user.
• 1iat (issued at): Timestamp when the token was issued.

When Base64Url encoded, this payload becomes:

3. Signature

To create the signature part, you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

For example, if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:

Given the secret your-256-bit-secret, the signature is generated as follows:

Complete JWT

Combining these three encoded parts results in the JWT:

Verification

To verify the JWT, the recipient must:

• Take the encoded header and payload.
• Verify the signature with the given algorithm and secret.
• Decode the payload to access the claims.

Summary

JWTs are used extensively in web applications for authentication and information exchange because of their compactness and security features when properly signed and verified.