DEV Community

Pranav Bakare
Pranav Bakare

Posted on

JWT Basics

#jwt #javascript #node #express

Here are the basics of JSON Web Tokens (JWT):

Structure

A JWT consists of three parts, each encoded in Base64Url format, separated by periods (.):

  1. Header: Describes the token type and signing algorithm.

    • Example: 
     {
   "alg": "HS256",
   "typ": "JWT"
 }

  2. Payload: Contains the claims or statements about the user and additional data. Claims are of three types:

    • Registered Claims: Predefined claims like sub (subject), iat (issued at), and exp (expiration).
    • Public Claims: Custom claims that can be defined but must be unique to avoid conflicts.
    • Private Claims: Custom claims agreed upon by the parties using the token.
    • Example: 
     {
   "sub": "1234567890",
   "name": "John Doe",
   "iat": 1516239022
 }

  3. Signature: Created by combining the encoded header and payload with a secret key using the specified algorithm (e.g., HMAC SHA256).

    • Example: 
     HMACSHA256(
   base64UrlEncode(header) + "." +
   base64UrlEncode(payload),
   secret
 )

Usage

  1. Authentication: JWTs are often used for authentication, where a server issues a token upon successful login. The client includes this token in subsequent requests, allowing the server to verify the user's identity.

  2. Authorization: JWTs can also be used to grant access to resources. The token may include roles or permissions that determine what the user can access.

Example Flow

  1. User Login: User logs in, and the server generates a JWT.
  2. Token Transmission: The server sends the JWT to the client.
  3. Client Requests: The client includes the JWT in the Authorization header of future requests.
  4. Server Verification: The server verifies the JWT's signature and extracts the claims to process the request.

Security Considerations

  • Confidentiality: JWTs are not encrypted by default, so sensitive information should not be included in the payload. For confidentiality, use JWTs with encryption or use HTTPS to protect tokens in transit.
  • Expiration: JWTs should have an expiration (exp claim) to limit their validity period and reduce risk if a token is compromised.
  • Signature: Always verify the signature of the JWT to ensure its authenticity and integrity.

JWTs are useful for their stateless nature, allowing authentication and authorization information to be transmitted securely between parties.

Top comments (0)

Read next

aliahadmd profile image

Why I Like Golang and Why It's the Best Language for Me.

Ali -

corrosive4354 profile image

Deploy Node.js 14.17 development environment in 2 minutes

corrosive4354 -

imsushant12 profile image

Mastering Event-Driven Programming with the EventEmitter in Node.js

Sushant Gaurav -

hamzakhan profile image

Building Your First MVC Architecture in Next.js 🚀

Hamza Khan -