Photo by Kayla Farmer on Unsplash

JWT is popular but is it that simple? Yes it is.

Hello developers, In this post I am going through,

What are JWT tokens.

First let’s figure it out what is a token? If you are an employee of a company, a university student or a citizen then you must have a token to identify you. As an example it’s your identity card. In IT world authentication is a critical part. There are so many ways of authentication like sessions, tokens, SSO etc. Then tokens are also used to identify you.

Wait a minute!!! is it containing my username and password? No It is not.

JWT or Json Web Token is a type of tokens and it has its own way of securing the authentication mechanism.

JWT has 3 main components called,


As shown above they are separated using dots(.).

Header Section

Header section normally containing 2 parts.

"alg": "RS256",
"typ": "JWT"

JWT token used 3 letter identifiers because the token should be compact.

Then the header section encrypted using Base64Url encoding.

input  -> Base64Url(Header)
output -> ewogICAgImFsZyI6ICJSUzI1NiIsCiAgICAidHlwIjogIkpXVCIKfQ==

Payload Section

Payload section contains all the claims named registered claims, public claims and private claims.

Wait what claims? what are those? Okay let me explain.

Claims are the data which you should add to the token. As an example there should be an issuer , issued time, expire time, or any data which you should included.

Please do not include any confidential data such as passwords in this tokens.

Following is an example of a payload.

"iat": 1516239022,
"sub": "1234567890",
"name": "John Doe",
"admin": true

As you can see in the above example there are some greek identifiers such as “iat”, “sub”. Those are the registered claims.

There are registered claims such as “iat” — issured at, “sub” — subject, “eat” — expired at etc. Other fields are the private claims.

This payload is also encrypted using Base64Url encoding.

Wait wait!! Then all this information can be generated by someone else or anyone can read this? Yes the payload and header can be generated and that’s why it is told not to include any confidential informations in JWT.

So how you can tell whether this is secure? The secure part is implemented using this signature.

Signature section

This section is the most critical section which will help to make a unique hashed string(As you know hashed strings cannot be decrypted).

Wait! Could you please explain this more? Yes.

In signature section what it does is it will take the base64Url encoded header, base64URl encoded payload and a secret and hash it using the algorithm mentioned in the header.

Hash(Base64Url(header) + Base64Url(payload) + secret)

I hope now you have a basic knowledge of the JWT. Then let’s learn how this JWT work and how this signature help to secure authentication mechanism.

How JWT are working

Let’s go through the formal process of authentication and JWT token issuing process and validation using following diagram.

  1. First user post credentials to the backend.
  2. Backend authenticate the user and if authenticated it will generate a JWT token with the secret in the backend and send it to the user.
  3. User will send every request with the token given.
  4. Backend validate the token with the secret and if validated only it will send the appropriate response else 401(Unauthorised).

Everything is fine. Could you please explain the validating process? Yes. It is the next section.

Validation process

In validation process what it does is,

Can someone generate the JWT token? No.

JWT can be only generated and validate with the same secret. The hashed signature cannot be decrypt then the secret cannot be reviled. Then token cannot be generated by a third party. If someone change the payload it will not validate against the signature.

Hope you get a better understanding about JWT — Json Web Tokens.

If you have found this helpful please hit that 👏 and share it on social media :)

Technical Writer | Tech Enthusiast | Open source contributor