JSON web token is one of the most commonly used type of authentication tokens.

• It consists of three components

Header, Payload, signature

• All this 3 are separated by '.'

Header.payload.signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

• This is base64url-encoded string

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 - is a header consists of algorithm used to generate the signature.

{
"alg": "HS256",
"typ": "JWT"
}

Payload

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ - This contains the user meta data

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c - It helps to validate the token that no one is tampered with it

Token's signatures need to be verified at server end compulsory.

Token need to restricted with 'alg' field in backend with some algorithm it should not left to 'none'

HMAC and RSA

• HMAC requires the token to be signed with a key and then later verified with the same key(secret key)
• RSA token first creates with private key and it is verified with public key later

Thanks for reading

Read my article about token based authentication