JSON Web Token ( JWT ) is an open standard ( RFC-7519 ) based on JSON to create a token that serves to send data between applications or services and ensure they are valid and secure.
The most common use case of JWT is to handle authentication in mobile applications or web. For this, when the user wants to authenticate sends his login data to the server, it generates the JWT and sends it to the client application, then in each request, the client sends this token that the server uses to verify that the user is Correctly authenticated and know who it is.
This is not the only use case for JWT, it is possible to use it to transfer any data between various application services and to make sure that they are always valid.
For example, if we have an email service, another service could send a request with a JWT next to the content of the mail or any other necessary data so that we can be are sure that data was not altered in any way.
Structure of a JWT
The JWT have a defined and standard structure based on three parts:
Header.payload.signature
The first two parts ( header y payload) are base64 strings created from two JSONs. The third part ( signature) takes the other two parts and encrypts them using an algorithm (usually SHA-256). Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjEiLCJ1c2VybmFtZSI6InNlcmdpb2R4YSJ9.Qu7rv5wqk6zGjiMU8ZixwvKQGBNW9hhj55DbSP50b1g
Header
JWT header has the following form:
{
" Alg" : "HS256" ,
"Typ" : "JWT"
}
The property indicates alg the algorithm used in the signature and the property typ defines the type of token, in our case JWT.
Possible properties
- Token Type (
typ) – Identifies the token type. - Content Type (
cty) – Identifies the type of content (it should always be JWT ) - Signed Algorithm (
alg) – Indicates which type of algorithm was used to sign the token. - Any other included in JWS and JWE.
Payload
The one payload of a JWT is a JSON that can have any property, although there are a number of property names defined in the standard version.
{
"Id" : "1" ,
" Username" : "sergiodxa"
}
That is the one payload used in the example JWT.
Standard Properties
- Creator (
iss) – Identifies who created the JWT - Reason (
sub) – Identifies the reason for the JWT , it can be used to limit its use to certain cases. - Audience (
aud) – Identifies who is supposed to receive the JWT . An example may beweb,androidorios. Whoever uses a JWT with this field must in addition use the JWT tosend the value defined in this property in some other way. - Expiration time (
exp) – A date that serves to verify if the JWT is expired and to force the user to re-authenticate. - Not before (
nbf) – Indicates from which moment you are going to start accepting a JWT. - Created (
iat) – Indicates when the JWT was created. - ID (
jti) – A unique identifier for each JWT.
Signature
Finally, the signature of the JWT is generated using the previous two fields in base64 and a secret key (that is only known in the servers that create or use the JWT ) to use an algorithm of encryption. Here is how you can do it (using pseudo code):
Key = 'secret'
UnsignedToken = base64Encode ( header ) + '.' + Base64Encode ( payload )
Signature = SHA256 ( key, unsignedToken )
Token = unsignedToken + '.' + Signature
In this way we get the signature and add it to the end of our JWT.
Implementations
JWT can be used in almost any language and there are many libraries in which you can create, read and verify JWT in a multitude of languages:
