![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![[DEALS] Internxt Cloud Storage Lifetime Subscription: 10TB Plan (88% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Ditching a Microsoft Job to Enter Startup Purgatory with Lonewolf Engineer Sam Crombie [Podcast #171]](https://cdn.hashnode.com/res/hashnode/image/upload/v1746753508177/0cd57f66-fdb0-4972-b285-1443a7db39fc.png?#)
![[Fixed] Gemini 2.5 Flash missing file upload for free app users](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/03/google-gemini-workspace-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![As Galaxy Watch prepares a major change, which smartwatch design to you prefer? [Poll]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/07/Galaxy-Watch-Ultra-and-Apple-Watch-Ultra-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple M4 MacBook Air Hits New All-Time Low of $824 [Deal]](https://www.iclarified.com/images/news/97288/97288/97288-640.jpg)
![An Apple Product Renaissance Is on the Way [Gurman]](https://www.iclarified.com/images/news/97286/97286/97286-640.jpg)
![Apple to Sync Captive Wi-Fi Logins Across iPhone, iPad, and Mac [Report]](https://www.iclarified.com/images/news/97284/97284/97284-640.jpg)
![Apple M4 iMac Drops to New All-Time Low Price of $1059 [Deal]](https://www.iclarified.com/images/news/97281/97281/97281-640.jpg)
![Apple's 11th Gen iPad Drops to New Low Price of $277.78 on Amazon [Updated]](https://images.macrumors.com/t/yQCVe42SNCzUyF04yj1XYLHG5FM=/2500x/article-new/2025/03/11th-gen-ipad-orange.jpeg)
What Exactly is a JWT and How Does it Work?
Introduction A JSON Web Token (JWT) is an open standard for securely transmitting information between a client and a server as a JSON object. These special tokens are mainly used for authentication and authorization within many modern web applications as they are compact enough to be transmitted through a URL, a POST parameter, or even inside an HTTP header. The data within a JWT is stored in a simple JSON format that is cryptographically signed. This prevents the JWT from being altered once created. JWT Breakdown As mentioned before, JWT is a standard. This means that while all JWTs are tokens, not all tokens are JWTs. Before we can properly touch on JSON Web Tokens, we must first discuss tokens and why they are used. Tokens are unique pieces of data that usually contain some important information that can be used to identify a user. As a result, they are used to securely transmit sensitive information within a client-server interaction. This is done by attaching a generated, user-specific token to all of said user’s requests to the server, at which point the token’s validity is checked. If this check is passed, the token is said to be valid, and thus the user’s request is also valid. Tokens are usually generated by the server and stored client-side, allowing them to be attached to subsequent requests. Now, you may be asking yourself, What makes a Token a JSON Web Token? JWT Structure A JSON Web Token consists of three parts: A Header A Payload and A Signature each separated from the others by a period (.). An example of a JWT is depicted below: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJ1c2VyX2lkIjoxMjMsIm5hbWUiOiJKb2huIERvZSJ9. s5GSJ7OGAEaW9XmdLeqR3-something Before we continue, let’s dive deeper into the world of JWTs and break down each of these separate pieces. The Header First, we have the Header. This contains metadata about the token, such as the type of token and the hashing algorithm used. For example: { "typ": "JWT", "alg": "HS256" } The Payload Next up, we have the Payload, which contains the actual data transmitted, such as user information or permissions. This data is usually referred to as “claims”. For example: { "userId": "b07f85be-45da", "iss": "https://provider.domain.com/", "sub": "auth/some-hash-here", "exp": 153452683 } The Signature Finally, we have the Signature. This portion of the JWT ensures the integrity of the token by combining the header, payload, and secret key. This signature is created using the algorithm specified in the header. For example: HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret) This all may seem like a lot of information, and once again, you may be asking yourself, What Problem Do JWTs Even Solve? Why Do JWTs Even Exist (Pros)? JSON Web Tokens use a public/private key pair for signing and a hashed algorithm to protect the token’s contents, making it more secure. JWTs are compact and thus can be passed over a URL, a POST parameter, or inside an HTTP header. JWTs are more scalable than normal tokens due to their independent and lightweight nature. JWTs are portable and have their own expiration time information. This makes them very easy to work with, especially when implementing any kind of time-based access control. JWTs are stateless in nature, as the user’s state is never saved in any database (unlike some token mechanisms). This special class of token is also self-contained, reducing the need to go back and forth to and from a database, allowing us to authenticate a user on every API call without much overhead. NOTE: JWTs can be either signed, encrypted, or a combination of the two. If a JWT is signed but not encrypted, any person can read its contents, but only a person with the private key can change these contents. Any attempt to edit the token’s contents without the private key will result in an invalid signature and thus, an invalid JSON Web Token. Common Mistakes and Best Practices Don’t store sensitive information in a JWT payload, especially if the token is signed but not encrypted, as this would allow users the ability to easily read the sensitive information that was stored in the token payload. Set short expiration times to minimize damage if a token is compromised and to encourage periodic reauthentication. Use HTTPS to prevent token interception since HTTPS encrypts data in transit and will add a layer of protection to your tokens if a user request is ever intercepted (HTTPS should be used even if you aren’t using JWTs). Conclusion JWTs are a powerful tool for managing authentication and authorization in modern web applications. Their stateless nature and compact format make them ideal for scalable systems. However, they are not a silver bullet. Like any security mechanism, JWTs come with trade-offs, and if misused, they can
Introduction
A JSON Web Token (JWT) is an open standard for securely transmitting information between a client and a server as a JSON object. These special tokens are mainly used for authentication and authorization within many modern web applications as they are compact enough to be transmitted through a URL, a POST parameter, or even inside an HTTP header. The data within a JWT is stored in a simple JSON format that is cryptographically signed. This prevents the JWT from being altered once created.
JWT Breakdown
As mentioned before, JWT is a standard. This means that while all JWTs are tokens, not all tokens are JWTs. Before we can properly touch on JSON Web Tokens, we must first discuss tokens and why they are used.
Tokens are unique pieces of data that usually contain some important information that can be used to identify a user. As a result, they are used to securely transmit sensitive information within a client-server interaction. This is done by attaching a generated, user-specific token to all of said user’s requests to the server, at which point the token’s validity is checked. If this check is passed, the token is said to be valid, and thus the user’s request is also valid. Tokens are usually generated by the server and stored client-side, allowing them to be attached to subsequent requests.
Now, you may be asking yourself, What makes a Token a JSON Web Token?
JWT Structure
A JSON Web Token consists of three parts:
- A Header
- A Payload and
- A Signature
each separated from the others by a period (.). An example of a JWT is depicted below:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ1c2VyX2lkIjoxMjMsIm5hbWUiOiJKb2huIERvZSJ9.
s5GSJ7OGAEaW9XmdLeqR3-something
Before we continue, let’s dive deeper into the world of JWTs and break down each of these separate pieces.
The Header
First, we have the Header. This contains metadata about the token, such as the type of token and the hashing algorithm used. For example:
{
"typ": "JWT",
"alg": "HS256"
}
The Payload
Next up, we have the Payload, which contains the actual data transmitted, such as user information or permissions. This data is usually referred to as “claims”. For example:
{
"userId": "b07f85be-45da",
"iss": "https://provider.domain.com/",
"sub": "auth/some-hash-here",
"exp": 153452683
}
The Signature
Finally, we have the Signature. This portion of the JWT ensures the integrity of the token by combining the header, payload, and secret key. This signature is created using the algorithm specified in the header. For example:
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
This all may seem like a lot of information, and once again, you may be asking yourself, What Problem Do JWTs Even Solve?
Why Do JWTs Even Exist (Pros)?
- JSON Web Tokens use a public/private key pair for signing and a hashed algorithm to protect the token’s contents, making it more secure.
- JWTs are compact and thus can be passed over a URL, a POST parameter, or inside an HTTP header.
- JWTs are more scalable than normal tokens due to their independent and lightweight nature.
- JWTs are portable and have their own expiration time information. This makes them very easy to work with, especially when implementing any kind of time-based access control.
- JWTs are stateless in nature, as the user’s state is never saved in any database (unlike some token mechanisms). This special class of token is also self-contained, reducing the need to go back and forth to and from a database, allowing us to authenticate a user on every API call without much overhead.
NOTE: JWTs can be either signed, encrypted, or a combination of the two. If a JWT is signed but not encrypted, any person can read its contents, but only a person with the private key can change these contents. Any attempt to edit the token’s contents without the private key will result in an invalid signature and thus, an invalid JSON Web Token.
Common Mistakes and Best Practices
- Don’t store sensitive information in a JWT payload, especially if the token is signed but not encrypted, as this would allow users the ability to easily read the sensitive information that was stored in the token payload.
- Set short expiration times to minimize damage if a token is compromised and to encourage periodic reauthentication.
- Use HTTPS to prevent token interception since HTTPS encrypts data in transit and will add a layer of protection to your tokens if a user request is ever intercepted (HTTPS should be used even if you aren’t using JWTs).
Conclusion
JWTs are a powerful tool for managing authentication and authorization in modern web applications. Their stateless nature and compact format make them ideal for scalable systems. However, they are not a silver bullet. Like any security mechanism, JWTs come with trade-offs, and if misused, they can introduce serious vulnerabilities.
To harness their benefits effectively, developers must follow best practices: use short-lived tokens, securely store them, and always transmit them over HTTPS. When used correctly, JWTs can significantly streamline authentication while keeping your applications safe and efficient.
References
- jwt.io – The official introduction to JWT
- Auth0 Blog – JWT Handbook
- Auth0 Docs - JWTs
- GeeksforGeeks - JSON Web Token (JWT)
- RFC 7519 - JSON Web Token
