What Is JWT?
JWT stands for JSON Web Token. It is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.
Here’s a breakdown of JWT:
- Header: The header typically consists of two parts: the token type, JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
- Payload: The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private.
- Signature: To create the signature part, you must take the encoded header, the encoded payload, a secret, and the algorithm specified in the header and sign that.
Dots separate these three parts (.) and form a complete JWT together.
JWTs are used in authentication and authorization protocols, including OAuth 2.0 and OpenID Connect, but can also be used in any context where claims about a subject need to be conveyed and integrity protected, possibly also providing confidentiality.
Typically, a server generates a token that certifies the user’s identity and sends it to the client. The client will then use the token to prove its identity and request access to resources. The token can be sent via various means, commonly via the Authorization header using the Bearer schema in HTTP requests.