DEV Community: Andres Fernandez The latest articles on DEV Community by Andres Fernandez (@andres_fernandez_05a8738d). https://dev.to/andres_fernandez_05a8738d https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1179361%2F5df4169a-3f14-4ff6-a7ee-c81cbc6c3674.jpeg DEV Community: Andres Fernandez https://dev.to/andres_fernandez_05a8738d en Cryptography for developers Andres Fernandez Wed, 29 Oct 2025 22:27:22 +0000 https://dev.to/andres_fernandez_05a8738d/cryptography-for-developers-1aj https://dev.to/andres_fernandez_05a8738d/cryptography-for-developers-1aj <p><strong>๐Ÿ” The Invisible Backbone of the Digital World</strong></p> <p>Iโ€™d dare to say that cryptography is the backbone of the digital era. Without it, the Internet would be a chaotic and insecure place. Thanks to the relentless work of scientists, mathematicians, and engineers who have perfected the cryptographic algorithms we use today, itโ€™s possible to transfer money, protect conversations, authenticate identities, and ensure privacy in every corner of our connected world.</p> <p>Without cryptography, there would be no secure banking transactions, no blockchain, and no trust in digital communication. Every message, every payment, and every login would be a risk. In short, cryptography doesnโ€™t just protect data โ€” it protects our very way of life in the 21st century.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3xh2m0o0wpqbveehu8mb.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3xh2m0o0wpqbveehu8mb.jpeg" alt=" " width="800" height="691"></a></p> <p>As developers, we constantly interact with cryptographic systems โ€” even if we donโ€™t realize it. Every time we call an API over HTTPS, hash a password, or sign a JWT, weโ€™re relying on cryptographic guarantees. Understanding how these mechanisms work helps us build safer, more reliable applications โ€” and avoid dangerous mistakes that attackers can exploit.</p> <h3> ๐Ÿ”‘ Key Concepts Every Developer Should Know </h3> <p>Before diving deeper into cryptography, itโ€™s essential to understand a few core concepts that form its foundation:</p> <ul> <li> <strong>Hashing</strong> </li> </ul> <p>A one-way transformation of data used mainly for password storage and integrity checks. Once data is hashed, it cannot be reversed.</p> <ul> <li> <strong>Encryption</strong> </li> </ul> <p>The process of protecting information using a key, so that only authorized parties can read it. Itโ€™s what keeps HTTPS and encrypted files secure.</p> <ul> <li> <strong>Symmetric Keys</strong> </li> </ul> <p>Systems where the same key is used to encrypt and decrypt data. A common example is the AES algorithm.</p> <ul> <li> <strong>Asymmetric Keys</strong> </li> </ul> <p>Involve a pair of keys โ€” one public and one private โ€” used for encryption, decryption, and digital signatures. RSA and ECC are classic examples.</p> <ul> <li> <strong>Digital Signatures</strong> </li> </ul> <p>Allow verification of authenticity and data integrity. Theyโ€™re widely used in JWTs, API authentication, and blockchain transactions.</p> <ul> <li> <strong>Certificates (PKI)</strong> </li> </ul> <p>Part of the Public Key Infrastructure, certificates ensure identity verification and trust online โ€” for example, in TLS/SSL connections.</p> <h3> โš ๏ธ Common Mistakes Developers Make with Cryptography </h3> <p>Even experienced developers can fall into subtle security traps. Avoiding these mistakes will save you from serious vulnerabilities later on:</p> <ul> <li> <strong>Rolling your own encryption algorithm</strong> </li> </ul> <p>(โ€œNever roll your own crypto.โ€) Cryptography is complex โ€” use well-established, peer-reviewed libraries instead.</p> <ul> <li> <strong>Storing passwords without hashing or using weak algorithms like MD5</strong> </li> </ul> <p>Always hash passwords using modern algorithms such as bcrypt, scrypt, or Argon2.</p> <ul> <li> <strong>Skipping signature validation in tokens</strong> </li> </ul> <p>Never trust unsigned or unchecked JWTs. Always verify their signatures before accepting user data or access claims.</p> <ul> <li> <strong>Hardcoding symmetric keys in source code</strong> </li> </ul> <p>Keep secrets out of your repository. Use environment variables or secret managers instead.</p> <h3> ๐Ÿš€ Final Thoughts &amp; Call to Action </h3> <p>Cryptography isnโ€™t just for mathematicians โ€” itโ€™s a <strong>toolkit every modern developer should master</strong>.<br><br> From securing APIs to verifying identities and ensuring data integrity, cryptography defines how we build trust online. </p> <p>In the next articles, weโ€™ll explore <strong>how to apply cryptographic principles in real-world Node.js and Rust applications</strong>, and how to avoid the pitfalls that can silently compromise your security.</p> <h3> ๐Ÿ—บ๏ธ Whatโ€™s Next: Upcoming Topics in This Series </h3> <p>Hereโ€™s a sneak peek of whatโ€™s coming next:</p> <ul> <li>๐Ÿ”น Understanding Hash Functions โ€” <em>SHA-256, bcrypt, Argon2</em> </li> <li>๐Ÿ”น Encryption in Node.js โ€” <em>symmetric &amp; asymmetric keys</em> </li> <li>๐Ÿ”น JWTs, Signatures, and Verifying Trust </li> <li>๐Ÿ”น TLS, HTTPS, and Real-World Data Protection </li> <li>๐Ÿ”น Building Secure APIs Using Modern Cryptography </li> </ul> <p>Stay tuned โ€” this is just the beginning of mastering the invisible backbone of the digital world.</p> cryptography security node A Guide to JWTs: Signing with RS256 Made Simple. Andres Fernandez Wed, 24 Jul 2024 16:11:11 +0000 https://dev.to/andres_fernandez_05a8738d/a-guide-to-jwts-signing-with-rs256-made-simple-4kce https://dev.to/andres_fernandez_05a8738d/a-guide-to-jwts-signing-with-rs256-made-simple-4kce <h3> Introduction. </h3> <p>In our previous guide <a href="https://dev.to/andres_fernandez_05a8738d/jwt-for-developers-behind-the-scenes-445p">JWT for Developers: Behind the Scenes</a>, we talked about JWTs signed with HMAC using SHA256. This time, we'll focus on the RS256 algorithm, which uses the PKCS#1 RSASSA v1.5 specification with SHA256. Don't worry about these complicated names; just remember it's called RS256 ๐Ÿ˜Œ.</p> <h2> What is RS256 ๐Ÿ”’? </h2> <p>RS256 is a digital signature algorithm that uses public key cryptography. This algorithm is part of the RSA family and uses SHA-256 as hash function. In practice, RS256 generates a pair of keys: one public and one private. Here is a breakdown of how it works:</p> <p><strong>Private Key:</strong> The private key is used to create and sign messages. Only the owner of the private key can generate valid signatures for messages.</p> <p>A private key in <strong>format PEM</strong> looks like this ๐Ÿ”‘:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nt">-----BEGIN</span> ENCRYPTED PRIVATE KEY----- MIICzTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIS28pq8UusVcCAggA mTE6uS7rjd2rSc/n4i6gTYniJtLfOUzTK8HXFXxE2nTT7vcbsi9yXMH2zAA8JQSg r5v8TRs3B0rJQaOMLBu9bWqmS6GZLNdPmTYVq6Y0YBMyMwMusCdDjUyuu7R2h+1L +XT0XTwLnJIlXU8wI4EsPhHyDHLNUwxPkSxrCwo9kTv1C9OdCUvIFtpM7mhCmXiX a3JOr547mmXo2aJH8sKb/ANON6wa0Zq8vgGQxLivXQRgDja3EdEu5mFkHZmJB8Cd DSE4FPtKmiz5wKJ4E4ZdKsKpdBCSgjHkY5mU4ut+3st1zBEgDMLCTsyDOG+FAtap <span class="nv">6Q</span><span class="o">==</span> <span class="nt">-----END</span> ENCRYPTED PRIVATE KEY----- </code></pre> </div> <p><strong>Public Key:</strong> The public key is freely distributable and is used exclusively to verify the authenticity of messages signed with the private key. This ensures that anyone in possession of the public key can confirm that a message was signed by the owner of the private key, thus guaranteeing its integrity and authenticity.</p> <p>A public keyin <strong>format PEM</strong> looks like this ๐Ÿ”‘:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nt">-----BEGIN</span> PUBLIC KEY----- MIGbMA0GCSqGSIb3DQEBAQUAA4GJADCBhQJ+AKwTaUz3u/k8+P/ZZqf+Zr+nWLx3 7nLpkQZRDoBDs8RoVLGiGOcfydUniSpMpfTTYih8+Wl9RPNXlhJ1oHaIyD8WbKy8 <span class="nv">NfY2l8NruixdAgMBAAE</span><span class="o">=</span> <span class="nt">-----END</span> PUBLIC KEY----- </code></pre> </div> <h2> Use case ๐Ÿงฐ. </h2> <p>There are many use cases for public key signing, but we will focus on the case of OAuth2.0 with an Azure AD server. When the server issues an access token, it also provides a public URL with the public key. This allows us to validate the token's authenticity in our resources.</p> <blockquote> <ul> <li>The private key must be stored very carefully to avoid exposure.</li> <li>In our case, we saw how a developer tried to modify the token's content but failed the verification check.</li> <li>Other developers enjoy a stress-free life by using the public key solely to verify the authenticity of the token received from Azure.</li> </ul> </blockquote> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk1vdeqrr3zahces7s5pz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk1vdeqrr3zahces7s5pz.png" alt="Image verify token" width="800" height="523"></a></p> <h2> Benefits โœ…. </h2> <p>This approach is fantastic because it allows us to validate tokens, but not create them on behalf of the Azure server. If a malicious actor tried to alter our token while it is in transit, we could immediately detect and verify that the token has been tampered with and reject it.</p> <p>Take a Moment to Read the Above Section โ˜•.</p> <p>If you've made it this far, you're ready to create your own token signing system using a public key algorithm. I hope you're excited ๐Ÿ™‹๐Ÿป!</p> <p><strong>Let's Get Started</strong></p> <p>First things first: we're going to use Node.js's native crypto module. If you're familiar with other programming languages, feel free to use their native cryptography modules; they probably have one.</p> <ul> <li>Generate RSA Keys: We use generateKeyPairSync to generate an RSA key pair. The private key is encrypted with a passphrase for secure storage. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">generateKeyPairSync</span><span class="p">,</span> <span class="nx">createSign</span><span class="p">,</span> <span class="nx">createVerify</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// 1. Generate Keys RSA</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">publicKey</span><span class="p">,</span> <span class="nx">privateKey</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">generateKeyPairSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">rsa</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">modulusLength</span><span class="p">:</span> <span class="mi">2048</span><span class="p">,</span> <span class="c1">// key Size</span> <span class="na">publicKeyEncoding</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">spki</span><span class="dl">'</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pem</span><span class="dl">'</span> <span class="p">},</span> <span class="na">privateKeyEncoding</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pkcs8</span><span class="dl">'</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pem</span><span class="dl">'</span><span class="p">,</span> <span class="na">cipher</span><span class="p">:</span> <span class="dl">'</span><span class="s1">aes-256-cbc</span><span class="dl">'</span><span class="p">,</span> <span class="na">passphrase</span><span class="p">:</span> <span class="dl">'</span><span class="s1">top secret</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <ul> <li>Creating our funtion to make signed tokens </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">createToken</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">privateKey</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">header</span> <span class="o">=</span> <span class="p">{</span> <span class="na">alg</span><span class="p">:</span> <span class="dl">'</span><span class="s1">RS256</span><span class="dl">'</span><span class="p">,</span> <span class="na">typ</span><span class="p">:</span> <span class="dl">'</span><span class="s1">JWT</span><span class="dl">'</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">encodedHeader</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">header</span><span class="p">)).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/=/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">encodedPayload</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">payload</span><span class="p">)).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/=/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">encodedHeader</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">encodedPayload</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">sign</span> <span class="o">=</span> <span class="nf">createSign</span><span class="p">(</span><span class="dl">'</span><span class="s1">RSA-SHA256</span><span class="dl">'</span><span class="p">);</span> <span class="nx">sign</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="nx">sign</span><span class="p">.</span><span class="nf">end</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nx">sign</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="nx">privateKey</span><span class="p">,</span> <span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/=/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">);</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">signature</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <ul> <li>Now we will verify the tokens signed by us. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">verifyToken</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">publicKey</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">encodedHeader</span><span class="p">,</span> <span class="nx">encodedPayload</span><span class="p">,</span> <span class="nx">signature</span><span class="p">]</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">verify</span> <span class="o">=</span> <span class="nf">createVerify</span><span class="p">(</span><span class="dl">'</span><span class="s1">RSA-SHA256</span><span class="dl">'</span><span class="p">);</span> <span class="nx">verify</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">encodedHeader</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">encodedPayload</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">verify</span><span class="p">.</span><span class="nf">end</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="nx">verify</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">publicKey</span><span class="p">,</span> <span class="nx">signature</span><span class="p">,</span> <span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">isValid</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">encodedPayload</span><span class="p">,</span> <span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">));</span> <span class="k">return</span> <span class="nx">payload</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Token verification failed</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Remember, security is a journey, not a destination. There is always more to learn and new techniques to explore.</p> <p>Thank you for following along. Happy coding, and keep learning! Your journey in the fascinating world of cryptography has just begun. ๐Ÿš€</p> security node code JWT for Developers: Behind the Scenes. Andres Fernandez Wed, 03 Jul 2024 03:58:03 +0000 https://dev.to/andres_fernandez_05a8738d/jwt-for-developers-behind-the-scenes-445p https://dev.to/andres_fernandez_05a8738d/jwt-for-developers-behind-the-scenes-445p <p>90% of developers just use the jsonwebtoken library without really understanding whatโ€™s happening behind the scenes. Be part of the percentage that does. Grab a coffee and enjoy the learning journey โ˜•๐Ÿคฏ.</p> <p><strong>Technical definition JWT:</strong></p> <p>The Internet Engineering Task Force (IETF) is a globally recognized organization responsible for the creation and promotion of internet standards. <a href="https://datatracker.ietf.org/doc/html/rfc7519" rel="noopener noreferrer">In its document RFC 7519</a>, the IETF defines JWT (JSON Web Tokens) as:</p> <p>"A compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted."</p> <p>Up to this point, we know the basics of JWTs โœ…:</p> <p><strong>A JWT consists of three parts:</strong></p> <ul> <li>Header.</li> <li>Payload.</li> <li>Signature.</li> </ul> <p><strong>Library Trust:</strong> We trust that the jsonwebtoken library works well to keep our app secure.</p> <p><strong>Format:</strong> flow to get a JWT looks something like this:</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffztercceff10z1s3cgzf.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffztercceff10z1s3cgzf.png" alt="Image" width="800" height="393"></a></p> <p><strong>Uses of JWTs ๐Ÿฆพ</strong></p> <p>JWTs signed with an algorithm and a secret key are known as JWS (JSON Web Signature). You have probably encountered them, and their use goes beyond merely assigning permissions for applications to access certain resources. Some of their most common uses include:</p> <blockquote> <ul> <li>Authentication: Verifying the identity of a user.</li> <li>Authorization: Granting or denying access to resources.</li> <li>Federated Identity: Allowing multiple systems to share identity information.</li> <li>Client-Side Sessions: Storing session information on the client side.</li> <li>Client-Side Secrets: Keeping secrets on the client side without server storage.</li> </ul> </blockquote> <p>Let's emphasize authorization. After the proper validation of a user's authentication, we need to assign a ticket for them to access certain protected resources of our applications.</p> <h2> JWT breakdown (Signed with SHA256 algorithm) </h2> <p><a href="https://camo.githubusercontent.com/f87e0ba2f9cb5c35b5e97cd5dc2408f42f50cef4b568d3554ac8058494b23680/68747470733a2f2f6a77742e696f2f696d672f62616467652d636f6d70617469626c652e737667" class="article-body-image-wrapper"><img src="https://camo.githubusercontent.com/f87e0ba2f9cb5c35b5e97cd5dc2408f42f50cef4b568d3554ac8058494b23680/68747470733a2f2f6a77742e696f2f696d672f62616467652d636f6d70617469626c652e737667" alt="Image" width="144" height="36"></a></p> <p>We are going to focus on creating a signed JWT (JSON Web Token), commonly known as a JWT with a Signature, to establish secure communication between two parties that can validate its authenticity. There are two types of signed JWTs: the first is signed using the SHA algorithm, and the second is signed using the RSA algorithm (the latter will be covered in another guide).</p> <p>Let's start building our JWT (Signature). We need a few things first.</p> <ol> <li>Function to convert JWT parts to Base64URL format โœ”๏ธ.</li> <li>Secret Key โœ”๏ธ.</li> <li>We use the native Node.js crypto module to sign it โœ”๏ธ.</li> </ol> <p><strong>Why use Base64-URL?</strong></p> <p>This process ensures that the result is a valid text in URLs.</p> <p>Convert binary data to Base64, Modify Special Characters, Replace + with -,Replace / with _, Remove any padding characters (=).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">base64urlEncode</span><span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="p">.</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/=/g</span><span class="p">,</span> <span class="dl">""</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\+</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">-</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\/</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">_</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Generate Secret Key ๐Ÿ”‘</strong></p> <p>Now we will create our Secret Key, this must be stored securely, it is used to validate the signature, not to share. Avoid choosing short or obvious combinations. It is recommended to generate secure bytes like this one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Generate a 256-bit (32-character) secret key</span> <span class="kd">const</span> <span class="nx">secretKey</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p><strong>Signature ๐Ÿ”.</strong></p> <p>In this section, we explore the backbone of cybersecurity: cryptography!</p> <p>The standard recommends using the HMAC function with SHA-256, known as HS256 in the JWA spec.</p> <p>It also recommends RSA for tokens signed with private keys, a topic we will cover in another guide:</p> <p><strong>HMAC (Hash-based Message Authentication Code).</strong></p> <p>HMAC in Node.js uses a secret key and a hash function to create a unique code (MAC) that verifies the integrity and authenticity of a message. Here's a simplified explanation of what happens behind the scenes:</p> <ol> <li> <strong>Combine Key and Message</strong>: The secret key and the message are combined in a specific way.</li> <li> <strong>Apply Hash Function</strong>: This combination is then passed through a hash function (like SHA-256) twice.</li> <li> <strong>Generate Code</strong>: The result is a fixed-size code that is unique to the given message and key.</li> </ol> <p>This code ensures that the message cannot be altered by a cybercriminal without invalidating the signature. If even a single bit in the message changes, the HMAC code will be different, indicating unauthorized tampering. In this way, HMAC protects against malicious modification attempts.</p> <p>Function to create Signature ๐Ÿ›ก๏ธ.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">createSignature</span><span class="p">(</span> <span class="nx">encodedHeader</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">encodedPayload</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">secret</span><span class="p">:</span> <span class="kr">string</span> <span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">encodedHeader</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">encodedPayload</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">return</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">,</span> <span class="nx">secret</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">data</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64url</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Graphical example of signature creation ๐ŸŽจ ๐Ÿ–Œ๏ธ.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fislcw0w6vclkchkv0hqy.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fislcw0w6vclkchkv0hqy.png" alt="box" width="800" height="527"></a></p> <p><code>Completed example</code></p> <p>Here we have our completed example. As you can see, we can create our own token signing system. This is how libraries that use the JWT standard function. I encourage you to experiment with Node.js's Crypto module and implement your own solution.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kd">const</span> <span class="nx">header</span> <span class="o">=</span> <span class="p">{</span> <span class="na">alg</span><span class="p">:</span> <span class="dl">"</span><span class="s2">HS256</span><span class="dl">"</span><span class="p">,</span> <span class="na">typ</span><span class="p">:</span> <span class="dl">"</span><span class="s2">JWT</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="na">sub</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1234567890</span><span class="dl">"</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">John Doe</span><span class="dl">"</span><span class="p">,</span> <span class="na">iat</span><span class="p">:</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">),</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">encodedHeader</span> <span class="o">=</span> <span class="nf">base64urlEncode</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">header</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">encodedPayload</span> <span class="o">=</span> <span class="nf">base64urlEncode</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">payload</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">your-256-bit-secret</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">createSignature</span><span class="p">(</span> <span class="nx">encodedHeader</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">encodedPayload</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">secret</span><span class="p">:</span> <span class="kr">string</span> <span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">encodedHeader</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">encodedPayload</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">return</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">,</span> <span class="nx">secret</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">data</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64url</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nf">createSignature</span><span class="p">(</span><span class="nx">encodedHeader</span><span class="p">,</span> <span class="nx">encodedPayload</span><span class="p">,</span> <span class="nx">secret</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">encodedHeader</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">encodedPayload</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">signature</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> </code></pre> </div> <h3> Resume </h3> <p>The token signature is the result of passing the header, payload, and a secret through a hash function, obtaining a fixed value. This value acts as an impenetrable barrier for cybercriminals, ensuring that the data has not been modified and maintaining the integrity and authenticity of the information.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>JWT(Signature)</th> <th>value</th> </tr> </thead> <tbody> <tr> <td>Integrity</td> <td>โœ…</td> </tr> <tr> <td>Authenticity</td> <td>โœ…</td> </tr> <tr> <td>Privacity</td> <td>โŒ</td> </tr> </tbody> </table></div> <p>Remember ๐Ÿ“Œ.</p> <p>Not to include sensitive information in the payload of your JWTs, as they are only encoded, not encrypted. The JWT signature ensures the integrity and authenticity of the token but does not guarantee the privacy of the data.</p> <p>Upcoming guides:</p> <blockquote> <p>Best practices for creating your JWTs.<br> Validate JWTs like a pro.<br> Know the main attacks and common failures when implementing JWTs.</p> </blockquote> node javascript api security