DEV Community

loading...

What is JSON Web Token?

lahin31 profile image Muhammad Lahin ・2 min read

JSON Web Token or JWT is an authorization technique. It is for creating secure web applications.

JWT generally creates a secure way to transfer information between two parties as a JSON object, here the two parties can be a server and a client.

The token contains the user information along with some more additional information. The key difference between Session based authentication and Token based authentication(JWT) is in Token based authentication the user information is not store in the server, the user information stored in the token. Then the token stored in the browser, this is why JWT is considered more scalable than session.

Alt Text

In this picture, client makes a post request with { email: email, password: password } to login. The server takes the request then check the email & password then returns a token called JSON Web Token only if email & password both are correct. Then client will store the JWT(token) inside Local Storage or Session Storage.

Alt Text

Next time client sends a request with JWT(token) attached to get the response. The server verify the token if the token is correct then the server send the response back to the client.

To identify an authenticated person, you just need to put JSON Web Token in the API end point.

https://www.something.com/users/?token=eyJhbGciOiJIUzI1NiIs.eyJzdWIiOiIxMj.SflKxwRJSMeKKF2Q
Enter fullscreen mode Exit fullscreen mode

Here, eyJhbGciOiJIUzI1NiIs is called header, eyJzdWIiOiIxMj is called payload & SflKxwRJSMeKKF2Q is called signature/crypto.

JWT Structure

A Header is generally consists two parts, type of the token and the hashing algorithm used. For example,

{
  "algo": "HS256",
  "type": "JWT"
}
Enter fullscreen mode Exit fullscreen mode

HS256 signing algorithm being used in the token and type is JWT. Then the header is Base64Url encoded to make first part of the JWT.

The second part of JWT called Payload, the amount of data you want to include into JWT.

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
Enter fullscreen mode Exit fullscreen mode

Then the payload is Base64Url encoded to make second part of the JWT.

The last part of JWT is a signature generated based on the Header and Payload. The signature used to verify the JWT is valid or not and the message wasn't changed along the way.

For example, if you want to use HMAC SHA256 algorithm, the signature will be created in the following order,

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret)
Enter fullscreen mode Exit fullscreen mode

You can encode and decode if you put all together. Go to https://jwt.io/

Alt Text

Discussion (0)

pic
Editor guide