Open in app

Sign in

Write

Sign in

JWT — Json Web Tokens

Yashod Perera
4 min readJun 12, 2020
Photo by Kayla Farmer on Unsplash

JWT is popular but is it that simple? Yes it is.

Hello developers, In this post I am going through,

  • What are JWT tokens.
  • How it is working.

What are JWT tokens.

First let’s figure it out what is a token? If you are an employee of a company, a university student or a citizen then you must have a token to identify you. As an example it’s your identity card. In IT world authentication is a critical part. There are so many ways of authentication like sessions, tokens, SSO etc. Then tokens are also used to identify you.

Wait a minute!!! is it containing my username and password? No It is not.

JWT or Json Web Token is a type of tokens and it has its own way of securing the authentication mechanism.

JWT has 3 main components called,

  • Header
  • Payload
  • Signature
Header.Payload.Signature

As shown above they are separated using dots(.).

Header Section

Header section normally containing 2 parts.

  • Type of the token which is typically JWT.
  • Hashing algorithm of the signature.
{
    "alg": "RS256",
    "typ": "JWT"
}

JWT token used 3 letter identifiers because the token should be compact.

Then the header section encrypted using Base64Url encoding.

input  -> Base64Url(Header)
output -> ewogICAgImFsZyI6ICJSUzI1NiIsCiAgICAidHlwIjogIkpXVCIKfQ==

Payload Section

Payload section contains all the claims named registered claims, public claims and private claims.

Wait what claims? what are those? Okay let me explain.

Claims are the data which you should add to the token. As an example there should be an issuer , issued time, expire time, or any data which you should included.

Please do not include any confidential data such as passwords in this tokens.

Following is an example of a payload.

{
  "iat": 1516239022, 
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

As you can see in the above example there are some greek identifiers such as “iat”, “sub”. Those are the registered claims.

There are registered claims such as “iat” — issured at, “sub” — subject, “eat” — expired at etc. Other fields are the private claims.

This payload is also encrypted using Base64Url encoding.

Wait wait!! Then all this information can be generated by someone else or anyone can read this? Yes the payload and header can be generated and that’s why it is told not to include any confidential informations in JWT.

So how you can tell whether this is secure? The secure part is implemented using this signature.

Signature section

This section is the most critical section which will help to make a unique hashed string(As you know hashed strings cannot be decrypted).

Wait! Could you please explain this more? Yes.

In signature section what it does is it will take the base64Url encoded header, base64URl encoded payload and a secret and hash it using the algorithm mentioned in the header.

Hash(Base64Url(header) + Base64Url(payload) + secret)

I hope now you have a basic knowledge of the JWT. Then let’s learn how this JWT work and how this signature help to secure authentication mechanism.

How JWT are working

Let’s go through the formal process of authentication and JWT token issuing process and validation using following diagram.

  1. First user post credentials to the backend.
  2. Backend authenticate the user and if authenticated it will generate a JWT token with the secret in the backend and send it to the user.
  3. User will send every request with the token given.
  4. Backend validate the token with the secret and if validated only it will send the appropriate response else 401(Unauthorised).

Everything is fine. Could you please explain the validating process? Yes. It is the next section.

Validation process

In validation process what it does is,

  • First take the JWT token and identified the hashed algorithm mentioned in the header section.
  • Then the backend will recreate the token using the Base64Url(Header), Base64Url(Payload) and the secret in the backend.
  • If the generated value and the signature are same then the token is same which generated from the backend. If not it is altered by someone. Then it is not validated.

Can someone generate the JWT token? No.

JWT can be only generated and validate with the same secret. The hashed signature cannot be decrypt then the secret cannot be reviled. Then token cannot be generated by a third party. If someone change the payload it will not validate against the signature.

Hope you get a better understanding about JWT — Json Web Tokens.

If you have found this helpful please hit that 👏 and share it on social media :)

Jwt
Jwt Token
Jwt Auth
Authentication

--

--

Yashod Perera

Written by Yashod Perera

259 Followers

Technical Writer | Tech Enthusiast | Open source contributor

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams