Authentication

go back

JWT ¹

JWT authentication and session authentication are ways to authenticate users of your web app.

JWT stands for JSON Web Token, and it is a commonly used stateless user authentication standard used to securely transmit information between client and server in a JSON format.

A JWT is encoded by default, not encrypted. It is digitally signed with a secret key that only the server knows. Additionally, it has the capability to be encrypted.

Structure of JWT ¹

A JSON Web Token consists of 3 parts separated by a period. The header, the payload, and the signature. Each section is base64 encoded.

Header

The header consists of token type, which is JWT, and the signing algorithm used, such as HMAC SHA256 or RSA.

{
  "typ": "JWT",
  "alg": "HS256"
}

Payload

A payload carries claims, which are statements about the user along with additional data. These claims typically include the time the token was issued (iat) and its expiration time (exp), as tokens should have a limited lifespan.

{
  "iss": "example_issuer",
  "sub": "user_id123",
  "exp": 1644768000,
  "iat": 1644744000
}

Signature

The signature is most important part of a JWT.

It is calculated using the header, the payload, and the secret, which are fed to the signing algorithm to use.

signature = HMAC-SHA256(base64urlEncode(header) + "." + base64urlEncode(payload), secret_salt)

JWT explained in 4 minutes (With Visuals) ↩ ↩²

Authentication

JWT 1

Structure of JWT 1

JWT ¹

Structure of JWT ¹