{"alg": "HS256", "typ": "JWT"}
Decode, verify, and generate JSON Web Tokens with comprehensive analysis
{"alg": "HS256", "typ": "JWT"}
{"sub": "1234567890", "name": "John Doe", "iat": 1516239022}
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs are widely used for authentication and information exchange in modern web applications, APIs, and microservices architectures.
A JWT consists of three parts separated by dots (.), which are:
The header typically consists of two parts: the type of token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA. The header is Base64Url encoded to form the first part of the JWT.
{
"alg": "HS256",
"typ": "JWT"
}The payload contains the claims, which are statements about an entity (typically, the user) and additional data. There are three types of claims:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1516242622
}The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. The signature is created by encoding the header and payload using Base64url and then signing the result using the algorithm specified in the header.
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)| Claim | Name | Description | Type |
|---|---|---|---|
iss |
Issuer | Identifies the principal that issued the JWT | String |
sub |
Subject | Identifies the principal that is the subject of the JWT | String |
aud |
Audience | Identifies the recipients that the JWT is intended for | String or Array |
exp |
Expiration Time | Unix timestamp after which the JWT expires | Number |
nbf |
Not Before | Unix timestamp before which the JWT is not valid | Number |
iat |
Issued At | Unix timestamp when the JWT was issued | Number |
jti |
JWT ID | Unique identifier for the JWT | String |
JWTs can be signed using different algorithms:
JWTs are useful in several scenarios:
Once a user is logged in, each subsequent request includes the JWT, allowing the user to access routes, services, and resources permitted with that token. Single Sign On is a feature that widely uses JWT due to its small overhead and ability to be easily used across different domains.
JWTs are a good way of securely transmitting information between parties. Because JWTs can be signed, you can be sure the senders are who they say they are. Additionally, the signature is calculated using the header and payload, so you can verify that the content hasn't been tampered with.
JWTs are commonly used for API authorization. After a user authenticates, the JWT can contain the necessary permissions and user information, reducing the need for additional database queries.
| Aspect | JWT | Sessions |
|---|---|---|
| Storage | Client-side (stateless) | Server-side (stateful) |
| Scalability | High (no server storage) | Lower (session storage needed) |
| Performance | Fast (no database lookup) | Slower (database/cache lookup) |
| Security | Good (signed, not encrypted) | Excellent (server-controlled) |
| Revocation | Difficult | Easy (delete session) |
| Cross-domain | Excellent | Limited |
| Payload Size | Larger (all data in token) | Smaller (just session ID) |
JWTs provide a compact, URL-safe way to represent claims to be transferred between two parties. They're particularly useful for authentication and information exchange in distributed systems. However, they should be used thoughtfully, considering security implications and use case requirements. Always validate JWTs properly and follow security best practices to ensure robust authentication systems.