JWT stands for json web token, it’s open stander use to transmit information between parties as a JSON object. It is compact, URL-safe, and used extensively in web applications for authentication and information exchange.
JWTs are digitally signed using keys and secrets. We verify the JWT with these keys and the signature to authenticate the user. Most web systems use JWTs to authorize users to access certain resources.
A JWT has three main components: the header, the payload, and the signature. When we create a token, we pass the header and payload, and then the token generates the signature.
Headre - The header of a JWT contains metadata about the token. It includes three values: alg
, typ
, and kid
. The alg
specifies the algorithm used to sign the token, typ
indicates the token type, and kid
is an optional parameter used to identify the key. Whether to include kid
depends on your use case.
{
"alg": "RS256", // allow [HS256,RS256,ES256]
"typ": "JWT", // Specific Type Of token
"kid": "12345" // Used to indicate which key was used to sign the JWT. This is particularly useful when multiple keys are in use
}
Payload - In Payload we specify some custom data mostly add user specific data into payload like user id and role.
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
Signature - The signature is generated by encoding the header and payload with a secret key (for HS256) or signing them with a private key (for RSA), and then hashing the result. This signature is used to verify the token.