JSON Web Tokens (JWT)

In software solutions, authentication is very important to ensure that system is access by authenticated users, systems etc. Now a days, mostly solutions depends on web APIs ( REST mostly). These solutions on the web is vulnerable for attacks or used by unwanted systems.

Http is stateless protocol, which can’t identify if the caller is authorized or not. To resolve this matter, in websites, session and cookies were used but for Web API, there is no key to identification. To identify, we used JSON Web Tokens which normally known as JWT.

An open key to trust between two parties.

The token is not in json format but in fact it is encoded form of Json Data. That json data contains the details of user to identify. Check below screen shot for jwt.io.

Json token from JWT.io

Structure of JWT

JWT has 3 parts

  • Header
  • Payload
  • Signature

Header contain the meta data which at least contain the information of signed algorithm and type.

Payload contains the claim information mostly about user details. these include registered claim names, public claim names and private claim names.

Registered claims

  • iss: The issuer of the token
  • sub: The subject of the token
  • aud: The audience of the token
  • exp: JWT expiration time defined in Unix time
  • nbf: “Not before” time that identifies the time before which the JWT must not be accepted for processing
  • iat: “Issued at” time, in Unix time, at which the token was issued
  • jti: JWT ID claim provides a unique identifier for the JWT

Signature contains the final signed token key. The signature’s secret key is held by the server so it will be able to verify existing tokens and sign new ones.

The above contains the minimum details to understand the JWT.