Skip to content

JWT Token Details#

JWT Token Details#

  • JWT mean JSON Web Token. It is a token implementation which will be in the JSON format and designed to use for the web requests.
  • JWT is the most common and favorite token type that many system use these days due to it's special features and advantages.
  • JWT tokens can be used both in the scenarios of Authorization/Authentication along with information exchange which means you can share certain user related data in the token itself which will reduce the burden of maintaining such details in the sessions on the server side.
  • A JWT token has 3 parts each separated by a dot (.). Below is a sample JWT token.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c


eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
\____________header________________/

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
\_______________________________payload__________________________________/

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
\___________Signature(Optional)___________/
  • So the first part is the header, the second part is the payload and the third part is the Signature.
  • In the header, we store metadata/info related to the token. If we chose to sign the token, the header contains the name of the algorithm that generates the signature. See the example json header below.
1
2
3
4
{
  "alg": "HS256",
  "typ": "JWT"
}
  • So This header json will be encoded with Base64 and we have the final result as below.
1
2
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
\____________header________________/

Payload#

  • In the payload, we can store details related to user, roles etc which can be used later for Authentication and Authorization. Though there is no such limitation what we can send and how we can send in the payload. but we should put our best efforts to keep it as light as possible. Let's see the example json payload below.
1
2
3
4
5
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
  • Also, this payload json will be encoded with Base64 and we have the final result as below.
1
2
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
\_______________________________payload__________________________________/

Signature#

  • The signature part can be optional if the party that you share the JWT token is internal and that someone who you can trust but not open in the web.
  • But if you are sharing this token to the client applications which will be used by all the users in the open web then we need to make sure that no one can change the header and body values like Authorities, username etc.
  • To make sure that no one lampered the data on the network, we can send the signature of the content when initially the token is generated. To create the signature part you have to take the encoder later, the encoded payload, a secret, the algorithm specified in the header, and sign that.
  • For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:
1
2
3
4
5
6
HMACSHA256(
    base64UrlEncode(header) + "." + base64UrlEncode(payload), secret
)

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
\___________Signature(HMACSHA256)_________/
  • The signature is used to verify the message wasn't changed along the way, and , in the case of token signed with a private key, it can also verify the sender of the JWT is who it says it is.
  • Pulling all together the JWT token is 3 Base64-URL strings separaled by dots that can be easily passed in HTML and HTTP environments, while being more compact when compared to XML-based standards such as SAML.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
\____________header________________/

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
\_______________________________payload__________________________________/

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
\___________Signature(Optional)___________/



eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

See Also#

References#