JSON Web Token (JWT)

JSON Web Token (JWT) is a compact and secure token format used for user authentication and information exchange. The signature embedded within the token enables the integrity of the data to be maintained during transmission or encryption. JWT was developed by the IETF (Internet Engineering Task Force) and published in May 2015 under the RFC 7519 standard.

Use Cases

JWT technology is primarily used for;

• Authentication by issuing an access token to the client after a user logs into the system via a web or mobile platform
• Authorization in API (Application Programming Interface) calls
• Inter-service communication in microservice architectures

Due to its design, JWT does not require the server to store session data locally, thereby reducing response times in high-performance distributed systems.

Structure of JWT

A JWT is a string composed of three parts separated by dots. These parts are respectively;

• Header containing algorithm and type information
• Payload containing claims (the information carried by the token) in JSON (JavaScript Object Notation) format
• Signature representing the Base64url-encoded concatenation of the Header and Payload, signed using the selected algorithm

Any modification to any of these three components will render the token invalid.

Definition and Testing Tool

JWT structures can be viewed by decoding the Header and Payload using Base64url in a browser-based JWT Debugger available at jwt.io, and sample tokens can be generated there.