What Is JSON Web Token?
JSON Web Token (JWT) is an open standard (RFC 7519) access token that defines a compact, self-contained method for securely transmitting information between parties as a JSON object.
A JWT contains information or assertions about a subject, such as a user's identity, and includes metadata about the token. This information is digitally signed, ensuring that it can be verified and trusted by the receiving party.
A JWT is composed of three parts separated by dots (.):
- Header. The header typically consists of two parts: the type of token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
- Payload. The payload, also known as the body, contains the claims or assertions. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
- Signature. To create the signature, you must take the encoded header, the encoded payload, a secret, and the algorithm specified in the header and sign that.
JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. The signature validates the token's integrity and ensures it has not been tampered with.
JWTs are often used in authentication and authorization mechanisms. In an authentication context, once the user logs in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources permitted with that token. Because of their compact structure, JWTs can be sent through a URL, POST parameter, or inside an HTTP header.
While JWTs provide a robust method for representing claims securely between two parties, it's essential to ensure the sensitive information is not stored in the payload unless it's encrypted, as the contents of a JWT can be easily decoded and read.