Skip to content

What is JWT token?

Ravi Teja Gudapati edited this page Jul 12, 2018 · 7 revisions

What is a JWT token?

Json Web Token is just a JSON data encoded and signed with a private key. Since it is signed, it is impossible to tamper the data. In the presence of the private key, the data can be verified (for integrity and authenticity) across multiple servers.

A JSON data contains three parts:

Header.Body.Signature

Header

Header contains, among other things, what algorithm is used to sign the token.

Body

Body is just the Base64URL encoded JSON data. Body is also called Claims in JWT terminology. We will learn about Claims in a later section below.

Signature

Signature contains, depending on the selected algorithm (specified in Header section), the signature of the Body signed with a private key. The private key shall be kept secret.

Session on JWT

Since the Session data is just a key-value pair, it can be stored as JSON payload in the JWT token.

Claims

Claims are fields in JSON data section of the token. The establish certain information the token like when it was issued, who issued it, whom it is intended for, etc.

Issuer claim

Issuer Claim is stored as iss in the JWT body. It establishes who issued the token in the first place.

Audience Claim

Audience Claim is stored as aud in the JWT body. It is a list. It identifies the intended recipients of the token. The issuer sets it when the token is issued.

When a client makes a request to the server with a token, the recipient server shall check whether it is listed in the audience field. If it is not listed, the request shall be rejected.

Subject claim

Subject Claim is stored as sub in the JWT body. It identifies the client for which the token is issued.

For example, it identifies the logged-in user, when the token is used for user authorization.

Expiry

Expiry Claim is stored as exp in the JWT body. It specifies the seconds since epoch at which the token shall expire.

Issued at

Issued at Claim is stored as iat in the JWT body. It specifies the seconds since epoch at which the token was issued.

TODO

What's next?

In the next article, we will explore how to use MongoDb as session store.

Basics

Serialization

Forms

Sessions

Authentication

  • Basic authentication
  • Form authentication
  • JSON authentication
  • Authorization
  • OAuth

Database

Security

Real time

  • Server sent events (SSE)
  • Websockets

Deployment

  • systemd
  • Docker
  • AppEngine

API Documentation

Clone this wiki locally