JWT

JSON Web Token

[ authentication and authorization ]
jwt

JSON Web Token — is an encoded string formatted as JSON.

JWT is used to transmit information between client and server, most commonly for authentication and authorization. The server issues a token to the client, and the client then uses it to access server resources.

JSON Web Token Format

  • Header contains the name of the algorithm used to sign the token and the token type 

    {
  "alg": "",
  "typ": "JWT"
}

  • Payload can store any data under any keys and service information about the token in special fields

    • issIssuer?issuer of the token
    • subSubject?subject the token was issued for
    • audAudience?recipients the token is intended for
    • expExpiration Time?the time after which the token will expire
    • nbfNot Before?the time before which the token must not be accepted
    • iatIssued At?the time the token was issued
    • jtiJWT ID?unique identifier of the token

    All the above special fields are optional, meaning they are not required.

    {
  "sub": "user123",
  "name": "vasyapupkin",
  "exp": 1916239022
}

  • Signature used to verify the token’s integrity and ensure the authenticity of the data. The signature is generated from the header, payload, and a secret key known only to the issuing server.

    Algorithms used to create the signature:

    • HMACHash-based Message Authentication Code? uses a hash function and a secret key to generate the signature.
    • RSARivest–Shamir–Adleman? uses a key pair (public and private) for signing and verification.
    • ECDSAElliptic Curve Digital Signature Algorithm? digital signature algorithm based on elliptic curves.

Example of a JSON Web Token

The resulting JWT token consists of three parts separated by dots. The header and payload (data) are encoded in Base64, which, as we'll see in the task, can be easily decoded. 

header                                payload                                 signature
eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIiwiZXhwIjoxOTE2MjM5MDIyfQ.5bK9CxN8h9430ugDlLR_35r8jjkQEfywv
{
    "alg": "HS256",
    "typ": "JWT"
}
{
    "sub": "user123",
    "exp": 1916239022
}

Not decoded

It’s important to understand that a JWT token is not intended for transmitting sensitive or confidential information, as its contents are not encrypted by default. The signature protects the token from tampering but does not hide the data.

Task

Decode the JWT token generated by the server and check that it meets the requirements.

Use the official site jwt.io, paste the token into the Encoded field. The result will appear in the Decoded field.

Task available to premium users!
Sidebar arrow