DEV Community

Sayed Naweed Rizvi
Sayed Naweed Rizvi

Posted on

What are JSON Web Tokens (JWT)

Image description

You may be asking yourself, "What in the world is a JSON Web Token and why do I need to know about it?"

What is a JSON Web Token (JWT)

In a nutshell, JWTs are a way to securely transmit information between parties. Think of it like a digital version of a secret club password. Only the people who know the password can get in and access the information.

JWTs are means of transferring data between client & server in an API call in a secure & encrypted JSON format.

The information can be trusted since it is digitally signed, any change to data in transit would make the token invalid.

How does JWT work?

A JWT consists of 3 parts

  1. Header
    The header specifies the algorithm being used to generate the JWT.

  2. Payload
    The payload contains the claims, Claims are statements about an entity (typically, the user) and additional data.

  3. Signature
    The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

Why use them

JWTs have a few key benefits.

Self-Contained
JWTs are self-contained. This means that all of the information needed to verify the authenticity of the token is contained within the token itself. No need to check a separate database to verify the user's identity.

Stateless
JWTS are stateless. This means that the server doesn't need to keep track of the token or the user's session. This can make things a lot easier and more efficient for the server.

Platform Agnostic
JSON Web Tokens (JWTs) are a widely used industry standard for securely transmitting information between parties. As a result, there are libraries available for implementing JWTs in a variety of programming languages.

Here is a non-exhaustive list of some popular programming languages and the libraries that can be used for working with JWTs in those languages:

JavaScript: jsonwebtoken, jwt-simple, jwt-decode
Python: PyJWT, python-jwt
Java: java-jwt, jjwt
Go: jwt-go
Ruby: jwt, ruby-jwt
C#: System.IdentityModel.Tokens.Jwt
PHP: firebase/php-jwt
Swift: JWT

This is just a small sampling of the many libraries that are available for working with JWTs in different programming languages. There are likely even more options available depending on the specific needs of your application.

It's worth noting that while there are many libraries available for working with JWTs, the core principles of how JWTs work and how they are implemented are generally the same across languages. This means that once you have a solid understanding of how JWTs work, you should be able to apply that knowledge when working with JWTs in any language.

Where are JWTs used

One common use case for JSON Web Tokens (JWTs) is for authorization purposes.
Here's an example of how JWTs might be used for authorization in a web application:

  1. The user logs into the web application and provides their credentials (e.g. username and password).

  2. The server verifies the user's credentials and, if they are valid, generates a JWT and sends it back to the user's browser.

  3. The user's browser stores the JWT in a cookie or local storage.

  4. For subsequent requests to the server, the user's browser includes the JWT in the header of the request.

  5. The server verifies the JWT and, if it is valid, allows the request to proceed. If the JWT is invalid or has expired, the server returns an error and denies the request.

This process allows the server to verify the user's identity and authorize their actions without maintaining a session or storing information about the user on the server. This can make the application more scalable and efficient, as it reduces the amount of data the server needs to store and manage.

It's important to note that JWTs should be signed using a secure algorithm and should be stored in a secure location on the client (e.g. an HttpOnly cookie). This helps to prevent unauthorized access to the JWT and ensures that it can't be tampered with by attackers.

So, there you have it! A crash course on JSON Web Tokens.

Top comments (0)