Understanding JSON Web Tokens

A comprehensive guide to JSON Web Tokens: what they are, how they work, and when to use them

What are JSON Web Tokens?

JSON Web Token (JWT, pronounced "jot") is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Key Benefits of JWTs

  • Compact: JWTs can be sent through URL, POST parameter, or inside an HTTP header. Additionally, due to their size, transmission is fast.
  • Self-contained: The payload contains all the required information about the user, avoiding the need to query the database more than once.
  • Portable: A single token can be used with multiple backends.

When should you use JWT?

Here are some scenarios where JSON Web Tokens are useful:

Authentication

This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.

Information Exchange

JWTs are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are.

Stateless Applications

For modern applications, the ability to scale is important. JWTs allow for stateless authentication, enabling your applications to be more scalable.

Structure of a JSON Web Token

A JWT consists of three parts, separated by dots (.):

xxxxx.yyyyy.zzzzz

Header

Contains the algorithm used for signing and the token type

Payload

Contains the claims or the data being transferred

Signature

Used to verify the sender and ensure the data wasn't changed

1. Header

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

{
  "alg": "HS256",
  "typ": "JWT"
}

Then, this JSON is Base64Url encoded to form the first part of the JWT.

2. Payload

The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data.

There are three types of claims:

  • Registered claims: These are a set of predefined claims which are not mandatory but recommended. Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and others.
  • Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.
  • Private claims: These are the custom claims created to share information between parties that agree on using them and are neither registered nor public claims.
{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "iat": 1516239022
}

The payload is then Base64Url encoded to form the second part of the JWT.

3. Signature

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

The signature is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.

How JWT Works

In authentication, when the user successfully logs in using their credentials, a JSON Web Token is returned. This token should be saved locally (typically in local storage, but cookies can also be used), instead of the traditional approach of creating a session in the server and returning a cookie.

Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema:

Authorization: Bearer <token>

This is a stateless authentication mechanism as the user state is never saved in server memory. The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources.

Security Considerations

While JWTs can be encrypted to also provide secrecy between parties, we'll focus on signed tokens. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties.

When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.

Some important security considerations:

  • Keep it secret: The signing key should be kept secure.
  • Set proper expiration: Always use the exp claim to limit the lifetime of your tokens.
  • Validate all claims: Always validate the issuer, audience, and subject of the token if applicable.
  • Use HTTPS: Always use HTTPS to prevent token theft via man-in-the-middle attacks.
  • Consider token size: Since JWTs are included in HTTP headers, they should be relatively small.

Conclusion

JSON Web Tokens provide a compact, self-contained method for securely transmitting information between parties. Their simplicity, portability, and the ability to be easily processed across different platforms make them an excellent choice for authentication systems and information exchange scenarios.

With JWT Toolbox, you have all the tools you need to decode, verify, and generate JWT tokens securely in your browser. No data is ever sent to our servers, ensuring your tokens remain secure and private.

Ready to Try It?

Use our JWT Decoder to inspect your tokens or the JWT Generator to create new tokens with your custom payload.