What is JWT (JSON Web Token)?
JWT (JSON Web Token) is a popular standard for authentication and authorization in API-based systems. It is a compact, self-contained token that securely carries information between parties as a JSON object.
A JWT typically consists of three components: header, payload, and signature.
Anatomy of JWT Token:
Header: The header of a JWT contains information about the token’s type and the signing algorithm used. It is Base64Url encoded JSON. Commonly used fields in the header include:
Example:
{ “alg”: “HS256”, “typ”: “JWT” }
- alg: Specifies the algorithm used for signing the token (e.g., HMAC, RSA, or ECDSA).
- typ: Represents the type of token, which is typically set to “JWT”.
2. Payload (Claims): The payload of a JWT contains the actual data or claims. Claims are statements about the entity (subject) and additional metadata. There are three types of claims: registered, public, and private. Commonly used claims include:
Example:
{ “sub”: “1234567890”, “name”: “Naveen AutomationLabs”, “admin”: true }
- Registered Claims: These are predefined claims defined by the JWT standard (e.g., iss for issuer, exp for expiration time, sub for subject, aud for audience).
- Public Claims: These are custom claims created by the users of JWT.
- Private Claims: These are custom claims used by agreed-upon parties and are not defined in the JWT specification.
3. Signature: The signature of a JWT is created by combining the encoded header, encoded payload, and a secret key. It ensures the integrity and authenticity of the token. The signature is used to verify that the message was not tampered with during transmission. The signing process depends on the algorithm specified in the header (alg field). The signature is appended to the token as the third part.
Example:
HMACSHA256(
base64UrlEncode(header) + “.” +
base64UrlEncode(payload), secretKey )
The resulting JWT looks like header.payload.signature, where each part is Base64Url encoded.
JWT Server Side Verification Process:
For example, a complete JWT may look like:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
JWTs are commonly used for authentication and authorization in API-based systems. The server issues a JWT to a client upon successful authentication.
The client then includes the JWT in subsequent requests as an Authorization header (e.g., Authorization: Bearer <token>) to access protected resources.
The server verifies the JWT’s signature, validates the claims, and grants or denies access based on the token’s information.
Cheers!!
Naveen Khunteta
Naveen Automation Labs