What Is JWT (JSON Web Token)?
JWT (JSON Web Token) is a compact, URL-safe way to represent secure information between two parties — typically between a client (like your React frontend) and a server (like your Spring Boot backend).
Structure of JWT
1. Header – contains metadata about the token
Example:
{
"alg": "HS256",
"typ": "JWT"
}
- alg: the algorithm used to sign the token (like HMAC SHA256)
- typ: the type of token (always "JWT")
2. Payload– contains the actual data (called claims)
Example:
{
"sub": "varunpatil",
"role": "USER",
"iat": 1696504500,
"exp": 1696508100
}
- sub: subject (usually the username or user ID)
- iat: issued at (timestamp)
- exp: expiration time
You can also add custom fields like email, role, etc.
3. Signature – ensures the token hasn’t been tampered with
Created by combining the header, payload, and a secret key:
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
So a final JWT looks something like this 👇
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiJ2YXJ1bnBhdGlsIiwicm9sZSI6IlVTRVIifQ.
X7a2qDg6m8i0wRJCrjXw9sM1D_Va8m2YH7JbZp8Qb6Y
⚙️ How JWT Works (Simple Flow)
- The user logs in with credentials (email & password).
- The server verifies credentials and generates a JWT.
- The client stores the token (e.g., in localStorage or a cookie).
For every request, the client sends the token in the Authorization header:
Authorization: Bearer <your_jwt_token>
The server verifies the token. If valid, it processes the request.
If the token is expired or invalid → the request is denied.
🔍 JWT Verification — How the Server Confirms the Token Is Legit
When a user sends a JWT (usually in the Authorization header), the server doesn’t just trust it — it recomputes and verifies it.
1️⃣ Token Received
Example token:
xxxxx.yyyyy.zzzzz
Where:
- xxxxx → Base64URL(header)
- yyyyy → Base64URL(payload)
- zzzzz → Base64URL(signature)
2️⃣ Server Splits the Token
The server separates these 3 parts.
Then it decodes the header and payload (Base64URL → JSON):
Header: { "alg": "HS256", "typ": "JWT" }
Payload: { "sub": "varunpatil", "exp": 1696508100 }
Signature: "zzzzz"
3️⃣ Server Recreates the Signature
The server takes the same header and payload (the first two parts) and runs them through the same signing algorithm using the secret key stored securely on the backend.
newSignature = HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secretKey
)
This produces a new hash — essentially a digital fingerprint of the token’s content.
4️⃣ Signature Comparison
Now the server compares the newly created signature with the one received in the token:
if (newSignature == receivedSignature)
→ ✅ Token is authentic
else
→ ❌ Token has been tampered with
If someone even changes a single character in the payload (like user role or ID), the new hash will be completely different, and verification will fail instantly.
Key Features of JWT
1.Stateless (No Server-Side Session)
- JWT is self-contained: it carries all the user information inside the token (claims).
- The server doesn’t need to store session data — just validate the signature.
- Makes scaling APIs easier because you don’t rely on in-memory sessions.
2.Compact and URL-Safe
- Tokens are small and can be sent in:
- HTTP headers (Auth: Bearer )
- URL query parameters
- Cookies
- Base64Url encoding ensures tokens are safe to transmit over the web.
3. Cross-Platform
- JWT is language-agnostic — works with Java, Node.js, Python, Go, etc.
- Can be used in mobile apps, web apps, or microservices.
- Perfect for distributed systems where multiple services need to verify the same token.
4. Integrity Verified
- The signature ensures the token hasn’t been tampered with.
- If the payload is changed, verification will fail.
- Protects sensitive operations like authentication, authorization, and API access.
Disadvantages of JWT
- Payload Is Not Encrypted
- Token Revocation Is Hard
- Complexity in Key Management
- Vulnerable If Secrets Are Compromised
Many people mistakenly believe that JWT encrypts data. In fact, JWT does not encrypt the data; it only encodes it and uses a signature to verify that the token was issued by a trusted source and hasn’t been tampered with.
Encoding vs Encryption
- 1. Encoding
Purpose: To transform data into a different format so it can be safely transmitted or stored.
Key Point: Encoding is not meant to be secret — anyone can decode it.
Example in JWT:
Header and payload are Base64Url encoded.
Anyone can decode and read the payload; the security comes from the signature, not the encoding.
Analogy: Like converting English text to Morse code — it’s readable if you know the rules.
- 2. Encryption
Purpose: To make data confidential so only authorized parties can read it.
Key Point: Encryption requires a secret key (or public/private key pair). Without the key, the data is unreadable.
Example: AES, RSA, or JWE (JSON Web Encryption).
Analogy: Like locking your letter in a safe — only someone with the key can open it.
Top comments (0)