What is JWT Token and How it works

Ritik Chourasiya
6 min readApr 6, 2023

--

What is JWT Token and How it works
What is JWT Token and How it works

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way for securely transmitting information between parties as a JSON object.

JWTs are used for authentication and authorization purposes, as well as for sharing information between services in a distributed system. In this blog post, we will explore what JWT is, how it works, and provide examples of its use cases.

💎What is JWT?

JWT is a token format that consists of three parts: a header, a payload, and a signature. The header and payload are Base64Url encoded JSON objects, while the signature is used to verify the authenticity of the token.

The three parts of the JWT are separated by dots, as shown below:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The header contains information about the type of the token (JWT) and the algorithm used to sign it (in this example, HMAC SHA-256). The payload contains the claims, which are statements about an entity (typically, the user) and additional metadata.

The signature is computed by applying the algorithm specified in the header to the base64-encoded header and payload, along with a secret key known only to the issuer of the token.

💎How JWT Works

JWT is used to securely transmit information between parties. The issuer (often, a server) creates a token and sends it to the recipient (often, a client). The recipient can then use the token to authenticate or authorize requests to the issuer.

Here is an overview of how JWT works:

  1. The issuer creates a JWT token by encoding a JSON object as a Base64Url string.
  2. The issuer signs the token using a secret key that only it knows.
  3. The issuer sends the JWT token to the recipient.
  4. The recipient receives the JWT token and decodes it to obtain the claims.
  5. The recipient verifies the signature using the same algorithm and secret key that the issuer used.
  6. If the signature is valid, the recipient can trust the claims in the JWT and use them to authenticate or authorize requests to the issuer.

Let’s look at an example of how JWT can be used for authentication. Suppose we have a web application that requires users to log in to access certain resources. When a user logs in, the server generates a JWT token containing the user’s ID, email address, and role. The server signs the token using a secret key and sends it to the client.

When the client makes a request to the server, it includes the JWT token in the authorization header. The server decodes the token, verifies the signature, and checks if the user has the necessary role to access the requested resource. If the token is valid and the user has the necessary role, the server grants access to the requested resource.

Here is an example of a JWT token for a user:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ1c2VySWQiOiIxMjM0NTY3ODkwIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGUiOiJ1c2VyIn0.
SflK

In this example, the header indicates that the algorithm used to sign the token is HMAC SHA-256. The payload contains the user ID, email address, and role. The signature is generated by applying the HMAC SHA-256 algorithm to the base64-encoded header and payload, along with a secret key known only to the server.

💎JWT Claims

JWT claims are statements about an entity (typically, the user) and additional metadata. There are three types of claims: registered, public, and private.

Registered claims are defined by the JWT standard and have predefined meanings. Some of the most common registered claims are:

  • iss (issuer): identifies the entity that issued the token.
  • sub (subject): identifies the entity that the token refers to.
  • exp (expiration time): specifies the time after which the token is no longer valid.
  • iat (issued at): specifies the time at which the token was issued.
  • nbf (not before): specifies the time before which the token is not valid.

Public claims are defined by the users of JWT and can be used to add additional metadata to the token. For example, a public claim can be used to specify the user’s role or permissions.

Private claims are custom claims that are used to share information between parties that agree on their meaning. Private claims should be registered in a namespace that prevents collision with other claims.

Here is an example of a JWT token that contains registered, public, and private claims:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyMzkwMjIsImFkbWluIjp0cnVlfQ.
SflK

💎How JWT Works

The flow of JWT works as follows:

  1. The user sends their credentials (such as a username and password) to the server to authenticate themselves.
  2. The server verifies the credentials and generates a JWT containing the user’s claims.
  3. The server sends the JWT to the client as a response to the authentication request.
  4. The client stores the JWT (usually in local storage or a cookie) and sends it with each subsequent request to the server.
  5. The server verifies the JWT and, if valid, processes the request.

Here is an example of how JWT is used in a web application:

  1. The user enters their credentials and submits a login form.
  2. The server verifies the credentials and generates a JWT containing the user ID, email address, and role.
  3. The server sends the JWT to the client as a response to the login request.
  4. The client stores the JWT in local storage.
  5. The user makes a request to the server to access a protected resource.
  6. The client sends the JWT with the request in the Authorization header: Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyMzkwMjIsImFkbWluIjp0cnVlfQ.SflK.
  7. The server verifies the JWT by validating the signature, checking the expiration time, and verifying that the user has the necessary permissions to access the resource.
  8. If the JWT is valid, the server returns the requested resource.

💎Advantages of JWT

JWT offers several advantages over traditional session-based authentication:

  1. Stateless: JWT is a stateless authentication mechanism, meaning that the server does not need to store session information. This makes it easier to scale the application horizontally and eliminates the need for a shared session store.
  2. Decentralized: JWT allows authentication to be delegated to third-party services such as social login providers or identity providers. This reduces the burden on the server and makes it easier to support multiple authentication methods.
  3. Cross-domain: JWT can be used to authenticate requests across different domains. This is because the token is self-contained and includes all the necessary information to verify the user’s identity.
  4. Security: JWT uses a digital signature to verify the authenticity of the token. This ensures that the token cannot be tampered with or forged by an attacker.

💎JWT Token Encryption

JWT (JSON Web Token) is a standard for securely transmitting information between parties as a JSON object. The data in a JWT is digitally signed and can be verified and trusted, making it a popular choice for authentication and authorization purposes.

However, JWTs are not encrypted by default, which means that the data in the token can be read by anyone who has access to it. This can pose a security risk if sensitive information, such as passwords or personal data, is included in the token.

To mitigate this risk, JWTs can be encrypted using a symmetric or asymmetric encryption algorithm. Encryption scrambles the data in the token, making it unreadable without the appropriate decryption key. This ensures that the information in the token remains confidential and secure.

Overall, encrypting JWTs adds an extra layer of security to the authentication and authorization process, making it harder for unauthorized parties to access sensitive information.

💎Conclusion

JWT is a powerful authentication mechanism that offers many advantages over traditional session-based authentication. It provides a secure and decentralized way to authenticate users, and it can be used in a variety of contexts, including web applications, mobile applications, and APIs. By understanding how JWT works and its advantages, developers can make informed decisions about when and how to use it in their applications.

Hope you find this article insightful 😉 💚

✨ Follow me on -

YouTube — https://www.youtube.com/@theritikchoure/

LinkedIn — https://www.linkedin.com/in/ritikchourasiya/

Twitter — https://twitter.com/theritikchoure

--

--

Ritik Chourasiya

I’m a 22 year old, still undergraduate backend developer based in India, with 2 years of experience in the software development industry.