Cover image for Day-6: JSON Web Tokens (JWT).

Day-6: JSON Web Tokens (JWT).

fenilshah16 profile image FENIL SHAH ・2 min read

Day-6: It was a lazy day but also excited at the same time because WWDC Apple Event 2020 happening today. As said on day-4 that will do research on cross-site WebSocket hijacking, I'm not doing this right now because It's kinda more advance to me or will need more time, So I have marked this into my list, will do soon! Today did research on Json web Tokens (JWT)! So let's get started...!

What is JSON Web Tokens (JWT)?

  • JSON Web Token (JWT) is an open standard (RFC 7519) that means that anyone can use and it is used to Securely transfer information between any two bodies like any two servers or any two users.
  • The main reason it is used because it is digitally signed that means the information is verified and trusted. There is no alteration of data in between the transfer!
  • It is compact: It can be sent via URL, post request, Http header and also this makes the transmission process fast!

What problem does it solve?

  • Authentication
  • Authorization
  • Federated identity
  • Client-side sessions (“stateless” sessions)
  • Client-side secrets

What is the JSON Web Token structure?

  • A JSON Web Token looks like this,


Breaking down, JWT token is divided into 3 parts i.e:

  • Header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
  • Payload: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
  • Signature: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c


  • Consists of 2 parts: Type of Token and Algorithm!
  • This JSON is Base64Url encoded!
  • Eg.
  "alg": "HS256",
  "typ": "JWT"


  • It contains the claims. Basically claims are user details and additional data like iss (issuer), exp (expiration time), sub (subject), aud (audience), etc.
  • There are 3 types of claims:
    • Registered claims
    • Public claims
    • Private claims
  • This JSON is Base64Url encoded!
  • Eg.
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022


  • It is formed by Combining the encoded header, the encoded payload with the secret.
  • The signature is used to verify the message wasn't changed along the way!
  • Eg.
  base64UrlEncode(header) + "." +

How does it works?

  • This Picture explains in a perfect way,

Alt Text


Jwt.io doc: https://jwt.io/introduction/
JWT Handbook: https://www.fomasgroup.com/Portals/0/MgmNewsDocuments/jwt-handbook.pdf


Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Posted on by:

fenilshah16 profile



Hello devzzz, My name is Fenil Shah(18), I'm a security enthusiast as well as a Mozillian. I break into websites in my free time!


markdown guide