DEV Community

Mert Simsek
Mert Simsek

Posted on

Logic of the JWT(JSON Web Tokens)

In this post, we will learn what is the JWT and logic of the JWT. The IETF is designed as a standard token format. Such as validation, user identification, data integrity and information security each other multiple points.

JWT consists of 3 separate JSON pieces encoded in Base64 format. The pieces are separated by a dot (.) symbol and represent the JWT as a whole. As i said, there are 3 fields. They are JOSE Header, Payload and Signature.

JOSE Header

JWT header information is written in JSON format and standard fields are found. You can see an example in the following.

    "alg": "HS256",
    "typ": "JWT"
Enter fullscreen mode Exit fullscreen mode

Alg means, "Specifies the cryptotic algorithm to be used to protect data integrity." and typ means, "Defined a JWT object".

When the JOSE header is enclosed in the token, it is encoded in Base64 format. For example, the Base64 counterpart of the above JSON heading is eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. The URL-friendliness of JWT is due to its use of Base64 notation.


A JWT token should be unique between a token producer and a consumer. This uniqueness defines the payload or other claim information. The payload can include fields such as user ID, timeout, and user authority.

  "id": "12345",
  "name": "Mert Simsek",
  "scopes": [
Enter fullscreen mode Exit fullscreen mode

For instance, it needs to be a field like id to represent belonging. There are standarts for it but it is not mandatory.


The last piece of the JWT, which consists of three parts, is the JWT signature. The signature part guarantees data integrity between the token manufacturer and the consumer. When creating the signature, the algorithm defined in the JOSE heading is used.

As long as, we try to create a JWT with PHP, it will be as below.

$header = base64_encode("HEADER");

$payload = base64_encode("PAYLOAD");

$mixed = $header + "." + $payload;

$secretKey = "My_Secret_Key";

$signature = base64_encode(hash_hmac('sha256', $mixed, $secretKey);

$jwtToken = $mixed + "." + $signature;
Enter fullscreen mode Exit fullscreen mode

As a result of the above operations, our JWT token output will be. You can check the generated JWT information at

That's it, in this article, so much for now. We have learned logic of JWT.

Top comments (3)

anwar_nairi profile image

Great introduction Mert, I would also add that this format in itself is not secured so folks never use JWT as it but add some security layer when you send it through your APIs. You can secure it for example in Laravel (to stay around PHP code):

namespace App\Http\Controllers;

use Crypt;

class MyController extends Controller {
  public function index() {
    $jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';
    $secured_jwt = Crypt::encrypt($jwt); 

    // Send it using GuzzleHttp, ...

Because it is base64 based, JWT are easily decodable so beware! You can have fun decode wild JWT using debugger.

erebos-manannan profile image
Erebos Manannán

This is a very ignorant claim. The security or lack of it has nothing to do with base64. JWT is not an encryption format, it's a signed token.

You should of course not store any sensitive data, such as passwords or similar in the token unencrypted, but this applies to everything and not just JWT.

The reason for real security issues with JWT is the fact that the standard pretty much requires you to accept ANY JWT token that is valid, and one of the valid signature algorithms for it is "None". This means, that unless you specifically break the standard, and check for the signature algorithm used in addition to the validity of the signature before trusting it, you can easily leave yourself vulnerable to a trivial attack.

In short: never trust a 3rd party JWT implementation completely, because they probably just blindly follow the standard, and never store any actually secret data in it in unencrypted format if you pass it to external systems.

anwar_nairi profile image

Completely agree with you, said it in a clumsy way!