All you need to know about JSON Web Tokens(JWT) — Part 1/2

This is the first part of JWT blog where I’ll talk about what JSON Web Tokens are, how they work and when to use them. In the second part, I talk about the structure of JWT, how it is generated and how a server can issue a JWT token in Javascript.

What is JWT?

Image for post
Image for post

How does JWT work?

The tokens are digitally signed by the server’s private key. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair (with RSA or ECDSA). Do note that with signed tokens, all the information contained within the token is exposed to users or other parties, even though they are unable to change it.

Image for post
Image for post

When to use JWT?

  1. To locally save user session at client side instead of the traditional approach of creating a session in the server and returning a cookie. This allows a stateless authentication mechanism as the user state is never saved in server memory.
  2. To reduce repeated database queries because JWTs are self-contained, that is, they have all the necessary information to allow an authenticated user to access all server resources and routes.
  3. To pass data in HTML and HTTP environments because of its small size. JSON is less verbose than XML so its encoded size is also smaller. It can be sent through a URL, POST parameter, or inside an HTTP header.
  4. To authenticate a user via single sign-on. This is the most common use case of JWT and can be easily used among systems of different domains.
  5. To exchange information as JWT is a good way to securely transmit information between parties because it can be signed by the sender. It also allows checking if the content has been tampered with.
  6. Additionally, JSON parsers are common in most programming languages, because they map directly to objects as compared to XML that doesn’t have a natural document-to-object mapping.
  1. Know the algorithms
  2. Use an appropriate key size

What JWT is not used for?

The data inside a JWT is encoded and signed, not encrypted. The purpose of encoding data is to transform the data structure. Signing data allows the data receiver to verify the source’s authenticity. So encoding and signing data does NOT secure the data. On the other hand, the main purpose of encryption is to secure data and prevent unauthorized access.

  1. Follow me on Medium and connect with me on LinkedIn!
  2. Check out Part 2 of this blog!

Software Development Engineer @amazon | GSoC’18 Mentor@systers | Open source enthusiast | Love to participate in Hackathons | Optimizations is secret of my code

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store