JSON  

Complete Guide to JWT (JSON Web Token)

Introduction

JWT (JSON Web Token) is an open standard defined in RFC 7519 for securely transmitting information between parties as a JSON object. It is widely used in modern web applications for authentication and authorization.

The information in a JWT is digitally signed, allowing the recipient to verify that it has not been altered. Because of its compact, URL-safe format, JWT is ideal for transmitting data in HTTP headers.

JWT is commonly used for authentication, authorization, and secure API communication.

A JSON Web Token (JWT) is a compact, URL-safe string consisting of three parts separated by dots:

Header.Payload.Signature

Example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Structure of JWT

A JWT contains three main components:

  • Header

  • Payload

  • Signature

Each part is Base64Url encoded and separated by a dot.

1) Header

The header typically contains the token type and the signing algorithm.

Example:

{
  "alg": "HS256",
  "typ": "JWT"
}

Here:

  • "alg" specifies the algorithm (e.g., HS256 – HMAC SHA256)

  • "typ" specifies the token type (JWT)

2) Payload

The payload contains claims, which are statements about the user and additional metadata.

Example:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "iat": 1516239022
}

There are three types of claims:

Registered Claims

Predefined claims such as:

  • iss (Issuer)

  • sub (Subject)

  • aud (Audience)

  • exp (Expiration time)

  • iat (Issued at)

Public Claims

Custom claims defined for public use.

Private Claims

Custom claims shared between two parties.

Note: The payload is encoded but not encrypted. Sensitive data should not be stored in it.

3) Signature

The signature ensures that the token has not been tampered with.

It is created using:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

Example secret:

a-string-secret-at-least-256-bits-long

If someone modifies the payload, the signature becomes invalid.

Purpose of JWT

JWT is mainly used for authentication and authorization.

Authentication

When a user logs in, the server verifies credentials and generates a JWT. The client stores the token and sends it with every request. The server validates the token before allowing access.

Authorization

After login, the server checks the claims in the token (such as user role) to determine whether the user has permission to access specific resources.

Secure Data Exchange

JWT ensures that transmitted data is digitally signed and can be verified.

How JWT Works (Step-by-Step)

  1. User sends login credentials.

  2. Server verifies the credentials.

  3. Server generates a JWT.

  4. Client stores the token.

  5. Client sends the token in the HTTP header:

Authorization: Bearer <token>

  1. Server verifies the signature and expiration.

  2. If valid, access is granted.

Simple Example Flow

Step 1: Server Generates Token

Payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "role": "admin",
  "iat": 1516239022
}

The server signs this payload with a secret key and returns the JWT.

Step 2: Client Sends Token

GET /api/profile
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Step 3: Server Validates

The server checks:

  • Signature validity

  • Expiration time

  • Claims inside the token

If everything is valid, the request is processed.

How to Use JWT in Real Applications

JWT is commonly used in:

  • RESTful APIs

  • Mobile applications

  • Single Page Applications (SPA)

  • Microservices architecture

  • API gateways

Popular libraries include:

  • Java: jjwt

  • .NET: System.IdentityModel.Tokens.Jwt

  • Node.js: jsonwebtoken

  • Python: PyJWT

Advantages of JWT

Stateless Authentication

The server does not need to store session data.

Compact

Small size makes it efficient for HTTP headers.

Scalable

Suitable for distributed systems and microservices.

Self-Contained

All necessary information is included in the token.

Cross-Domain Support

Works well in modern web architectures.

Disadvantages of JWT

No Easy Revocation

Tokens remain valid until they expire.

Larger Payload

Too many claims can increase token size.

Security Risks

If stored improperly (for example, in localStorage), tokens can be exposed.

Secret Key Risk

If the secret key is leaked, tokens can be forged.

Security Best Practices

  • Use a strong secret key (minimum 256 bits)

  • Always use HTTPS

  • Set expiration time (exp)

  • Do not store sensitive data in payload

  • Use refresh tokens

  • Prefer HttpOnly cookies over localStorage

JWT vs Session Authentication

JWT

  • Stateless

  • No server-side session storage

  • Scalable for distributed systems

Session Authentication

  • Server stores session data

  • Easier revocation

  • Less scalable in distributed environments

Real-World Scenario

In an e-commerce system:

  • A user logs in.

  • The server creates a JWT containing user ID and role.

  • The client stores the token.

  • Every request includes the token.

  • The server validates it without querying the database for session data.

The system becomes faster and more scalable.

Summary

JWT (JSON Web Token) is a compact, secure, and stateless method of authentication and authorization used in modern web applications. It enables secure data transmission between client and server without maintaining server-side sessions.

When implemented correctly with proper security practices, JWT is powerful, scalable, and highly efficient for API-based systems.

Membership not found