JSON Web Token (JWT)
JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
JWT Structure
A JWT consists of three parts separated by dots (.), which are:
.yyyyy.zzzzz
-
:
Contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256)
-
Payload :
Contains the claims - statements about an entity (typically the user) and additional data
-
Signature :
Used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way
Signing Algorithms
JWT supports various signing algorithms:
- HS256: HMAC with SHA-256. Symmetric algorithm using a shared secret
- HS384: HMAC with SHA-384. Symmetric algorithm with stronger hash
- HS512: HMAC with SHA-512. Symmetric algorithm with strongest hash
- RS256: RSA Signature with SHA-256. Asymmetric algorithm using public/private key pair
- RS384: RSA Signature with SHA-384. Asymmetric algorithm with stronger hash
- RS512: RSA Signature with SHA-512. Asymmetric algorithm with strongest hash
Standard Claims
JWT defines several standard claims (registered claim names) that provide useful information:
- iss (Issuer): Token issuer
- sub (Subject): Subject of the token (user ID)
- aud (Audience): Intended audience
- exp (Expiration Time): Expiration time (Unix timestamp)
- nbf (Not Before): Not valid before time
- iat (Issued At): Issued at time
- jti (JWT ID): Unique identifier for the token
Common Use Cases
- Authentication: After user login, each subsequent request includes the JWT, allowing access to routes, services, and resources
- Information Exchange: Securely transmit information between parties with signature verification
- Single Sign-On (SSO): Widely used for SSO features due to small overhead and cross-domain capability
- API Authorization: Stateless authentication for RESTful APIs
- OAuth 2.0 and OpenID Connect: Core component of modern authentication protocols
Security Note:
JWT tokens are signed to verify authenticity but not encrypted by default. Do not store sensitive information in the payload unless encrypted separately. Always use HTTPS to transmit tokens. Store tokens securely (e.g., httpOnly cookies for web applications). Implement proper token expiration and refresh mechanisms. Never expose your secret key in client-side code.