JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
When are JWTs the right choice?
Authorization - You can create a JWT once a user logs in and use it in subsequent requests to allow user to access the resources.
Exchanging Information -
Know the sender - Since the JWTs are signed
Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.
JWT Structure
Format : aaaaa.bbbbb.ccccc
The JWT consists of 3 parts:
Header
Consists of
alg - signing algo like HMAC SHA256
typ - JWT
{
"alg": "HS256",
"typ": "JWT"
}The above JSON is Base64Url encoded to form the first part of the JWT.
Payload
Contains the claims [Claims are statements about an entity (typically, the user) and additional data] . There are 3 types of claims :
Registered - set of predefined, not mandatory but recommended. Ex - sub (subject), iss (issuer), exp (expiration time)
Public
Private - custome claims to create info between parties
{
"sub": "subject",
"name": "John Doe",
"admin": true
}The above JSON is Base64Url encoded to form the second part of the JWT.
Signature
Signature = ALGO(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)Where, ALGO - Algo specified in the header