Hey in this blog I will briefly explain what is JWT? how does it work? and why JWT? So keep reading thoroughly.
๐ด What is JWT?
JWT stands for โ JSON web token โ it is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
JWT is simply a token that is written in JSON format. It is really safe to use because it can be signed in using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
๐ดHow does JWT work?
JWT contains 3 parts 1) The header 2) The payload 3) The signature
The header of the JWT token is just some metadata for the token such as the algorithm name and type.
The payload is some data that you can encode into the jwt which will be saved in the token payload and later you can use those unique data to identify the specific user. The more data you add the bigger the jwt token will be.
And keep in mind that the header and the payload will get added as an encoded plain text but it is not going to get encrypted so anyone can decode them so we cannot save any sensitive data in the payload.
The secret is created with the header, the payload, and the secret that is stored on the server and this will process the signing JWT.
So, the signing algorithm is just an algorithm of JWT to verify if the token is correct. The signing algorithm creates a unique signature using the header, payload, and the secret, and only these data + the secret saved in your server can create this signature. Then this signature and header+payload forms the JWT Token which then is sent to the client
So, how does this process really work?
First, a user sends a post request to the server with the username and the password. Then the server checks the username and password is valid if this information is valid a JWT Token is formed and then gets send to the client and save in a cookie.
Now every time the server receives a JWT Token and grant the user access to the protected page it needs to verify the JWT Token in order to determine if the user really is the user he/she claims to be. In other words, it's gonna check that if no one manipulated the header and the payload data of the token. So it is gonna make sure that no 3rd party has manipulated the header and the payload data.
So how does the verification work? Well, whenever a JWT Token is received the verification method will take the header+paylaod and add the secret to it which is still on your server so no one can manipulate your secret, and then create a Test signature. and the original signature still remains on the JWT Token itself so now the Verification will compare the Test Signature with the original signature and if these two matched then that means the Token was not modified so the verification method will be successful but if it didn't match then that means someone did something with the Token so the verification method will fail.
๐ด Why JWT?
There are lots of reasons why you should use jwt but mostly you're going to choose it because of its simplicity and secure approach. The JWT token is also stateless which is just enough good for a restful API.
So that was the little blog I hope it helped you understand What is JWT? How does it work? Why choose it?
Thank you for readingโฆ๐
Top comments (1)
JWT or JSON Web Tokens are the new industry standards for securing APIs to and from the server. But what exactly is JWT? How does it work? Let us understand it more in detail under given link-