DEV Community

Ramu Ummadishetty
Ramu Ummadishetty

Posted on

JSON Web Tokens

#token #json #auth

JSON web token is one of the most commonly used type of authentication tokens.

  • It consists of three components

Header, Payload, signature

  • All this 3 are separated by '.'

Header.payload.signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

  • This is base64url-encoded string

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 - is a header consists of algorithm used to generate the signature.

{
"alg": "HS256",
"typ": "JWT"
}

Payload

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ - This contains the user meta data

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
Enter fullscreen mode Exit fullscreen mode

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c - It helps to validate the token that no one is tampered with it

Token's signatures need to be verified at server end compulsory.

Token need to restricted with 'alg' field in backend with some algorithm it should not left to 'none'

HMAC and RSA

  • HMAC requires the token to be signed with a key and then later verified with the same key(secret key)
  • RSA token first creates with private key and it is verified with public key later

Thanks for reading

Read my article about token based authentication

Top comments (0)

Read next

jaloplo profile image

Why AI Training for Employees Matters

Jaime López -

honeybadger_staff profile image

A guide to feature flags in Laravel using Laravel Pennant

Honeybadger Staff -

shofistwn profile image

Panduan Cara Instal Laravel di Linux

Shofi Setiawan -

d3one profile image

Secure SDLC (Part 1): issues, approach, tech metrics, team’s KPI

Ivan Piskunov -