DEV Community

Cover image for Day-6: JSON Web Tokens (JWT).

Posted on

Day-6: JSON Web Tokens (JWT).

Day-6: It was a lazy day but also excited at the same time because WWDC Apple Event 2020 happening today. As said on day-4 that will do research on cross-site WebSocket hijacking, I'm not doing this right now because It's kinda more advance to me or will need more time, So I have marked this into my list, will do soon! Today did research on Json web Tokens (JWT)! So let's get started...!

What is JSON Web Tokens (JWT)?

  • JSON Web Token (JWT) is an open standard (RFC 7519) that means that anyone can use and it is used to Securely transfer information between any two bodies like any two servers or any two users.
  • The main reason it is used because it is digitally signed that means the information is verified and trusted. There is no alteration of data in between the transfer!
  • It is compact: It can be sent via URL, post request, Http header and also this makes the transmission process fast!

What problem does it solve?

  • Authentication
  • Authorization
  • Federated identity
  • Client-side sessions (“stateless” sessions)
  • Client-side secrets

What is the JSON Web Token structure?

  • A JSON Web Token looks like this,


Breaking down, JWT token is divided into 3 parts i.e:

  • Header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
  • Payload: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
  • Signature: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c


  • Consists of 2 parts: Type of Token and Algorithm!
  • This JSON is Base64Url encoded!
  • Eg.
  "alg": "HS256",
  "typ": "JWT"
Enter fullscreen mode Exit fullscreen mode


  • It contains the claims. Basically claims are user details and additional data like iss (issuer), exp (expiration time), sub (subject), aud (audience), etc.
  • There are 3 types of claims:
    • Registered claims
    • Public claims
    • Private claims
  • This JSON is Base64Url encoded!
  • Eg.
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
Enter fullscreen mode Exit fullscreen mode


  • It is formed by Combining the encoded header, the encoded payload with the secret.
  • The signature is used to verify the message wasn't changed along the way!
  • Eg.
  base64UrlEncode(header) + "." +
Enter fullscreen mode Exit fullscreen mode

How does it works?

  • This Picture explains in a perfect way,

Alt Text

Resources: doc:
JWT Handbook:


Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Top comments (1)

hesamrad profile image
Hesam Rad

Helpful article, thank you.