What is JWT?
JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using a cryptographic algorithm.
Quick Facts
| Full Name | JSON Web Token |
|---|---|
| Created | 2010 (standardized in RFC 7519 in 2015) |
| Specification | Official Specification |
How JWT Works
A JWT consists of three parts separated by dots: Header, Payload, and Signature. The Header typically contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256). The Payload contains the claims - statements about the user and additional metadata. The Signature is created by encoding the header and payload, then signing them with a secret key. JWTs are self-contained, meaning all necessary information is within the token itself, eliminating the need for database lookups during verification.
Key Characteristics
- Self-contained - carries all required information within the token
- Compact - can be sent via URL, POST parameter, or HTTP header
- Stateless authentication - server doesn't need to store session data
- Digitally signed - integrity can be verified
- Can be encrypted (JWE) for confidentiality
- Has expiration time (exp claim) for security
Common Use Cases
- User authentication in web and mobile applications
- Single Sign-On (SSO) across multiple domains
- API authorization and access control
- Information exchange between services
- Stateless session management
Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Decoded Payload:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}