If you are a web developer or a student studying web development you must have heard of the term JWT. These days, JSON Web Tokens (JWTs) play a pivotal role in web development, particularly in the authentication and authorization processes of web applications. In this article we will delve deep into the world of JWTs,their structure, how they work and the advantages they offer over traditional session tokens.
A JWT stands for JSON Web Token. JWTs are used for securely transferring information between parties as a JSON object. For those familiar with JavaScript, JSON is a standard text-based format for representing structured data based on JavaScript object syntax. It is commonly used for transmitting data in web applications.
{
"id" : "emp_007",
"name" : "Gregor Samsa",
"roles" : ["admin", "compliance"]
}
Structure of JWT
In its compact form, JSON Web Tokens consist of three strings separated by dots. It looks something like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
JWT consists of three parts:
- Header: The header consists of two parts: the type of token which is JWT and the hashing algorithm which will be used in forming the signature.
{
"alg":"HS256",
"typ":"JWT"
}
This JSON is base64 encoded to form the first part of the JWT.
2.Payload: The payload consists of the claims which give information about the user. Claims consist of information such as user id, user name and the roles of user.Since a payload can easily be decoded it should not contain any sensitive information.
{
"sub": "1234567890",
"name": "Gregor Samsa",
"admin": true,
"iat": 1516239022
}
The payload is base64 encoded to form the second part of the JWT.
3.Signature: The signature is formed by taking together the encoded header, the encoded payload, a secret and then signing it with the hashing algorithm which is specified in the header.
HMACSHA256(
base64UrlEncode(header) + '.' +
base64UrlEncode(payload),
secret)
The signature verifies that the sender of the JWT is who it says it is and that the message want changed in the way.
How JWT works?
So once a user logins the application using its credentials a JWT token is returned in the response. Like session tokens, JWT tokens can also be stored in the cookies of the browser.Now every subsequent request the user makes the JWT token will be sent along in the header of the request.Once the server receives the request it verifies the JWT using the signature. It uses the header and the payload received and the secret to generate a signature and if the generated signature matches the signature in the JWT it sends a successful response and gives the user access to the resources. If the generated signature doesn't match the signature in JWT the server sends back an error.
How is JWT different from session tokens?
In the case of session tokens, once the user logins the server creates a session and sends the session id in response.Now the session id is sent in every subsequent request.The server fetches the session corresponding to the session id and authorizes accordingly.
The major difference between JWT and session tokens is that JWT is stateless. Unlike session tokens nothing is stored on the server and the token is self-contained. This reduces the latency and the number of database calls. Also it makes the application more scalable. Since the token is self contained and nothing is stored on the server,the requests can be sent over to different servers by the load balancer without causing any issues.
Conclusion
I hope through this blog now you know a little more about JWTs.
Top comments (14)
Hello great article !
Don't hesitate to put colors on your
codeblock
like this example for have to have a better understanding of your code 😎hey thanks i wasnt able to figure out how to add colors
That a better post, thanks 🥳
ps. JWT is pronounced "jot". :)
I pronounce it "yacht" 😂
I got more clearer picture about JWT, thanks "Manoj Bajaj"
Thanks
How about the downsides to JWT? Particularly vs so-called session tokens? You can't say they're "better" without talking about the tradeoffs.
What are JWT?
Thomas Broyer ・ Nov 29 '23
Thanks
Superb explanation..✨✨
Thanks!
Great article, very well explained.
Great read. Your explanation was helpful. Thank you.
Some comments may only be visible to logged-in visitors. Sign in to view all comments.