JWT's content

The JWT is a way to use token. It has three part to hold those information:

• Header. The meta information of the JWT token.
• Payload. The data about authentication. For example, the user name and the role of he/she.
• Secret. The hashed value of the header, payload, and the salt only server know.

Here is the link to wikipedia.

So we can say that:

Secret = hashed(Header, Payload)

The server, which deal with the JWT token, will run the hashed function again and check if the secret part is same.

Salt

As we know, that store user's password in clear text is a stupid behavior. If attacker get the database, he will use the data to attack other website (because many user use the same password and username in different website).

So a better way to hold those user's password is using hash function. But attacker will build a rainbow table (link to wikipedia) to attack. So we use the salt, to build it, it works well if the attacker has no idea what the salt is:

const hashed_password = hash(password, salt);

But we cannot avoid that attacker build the rainbow table if he know the hash function and the salt. So the best way is using bcrypt, bcrypt use random salt and hash the password again and again to add the time to get the hashed value. If attacker want to get the original password, even through he/she get the table and those salt, he/she need more time to build the rainbow tables and need build A LOT OF rainbow tables! It is so hard to make it, so attacker will never get the original password.