JWT (JSON Web Token)
A JWT (JSON Web Token) is an open standard (RFC 7519) for transmitting claims between parties as a compact, digitally signed JSON object; A JWT consists of three Base64URL-encoded segments separated by dots: a header (algorithm and token type), a payload (claims such as user ID and expiry), and a signature; JWTs are common in microservices and SPAs where stateless auth reduces latency
A JWT (JSON Web Token) is an open standard (RFC 7519) for transmitting claims between parties as a compact, digitally signed JSON object. Because the token is self-contained and verifiable, servers can authenticate requests without querying a session store.
How it works
A JWT consists of three Base64URL-encoded segments separated by dots: a header (algorithm and token type), a payload (claims such as user ID and expiry), and a signature. The server verifies the signature using its secret or public key, then trusts the claims without a database lookup.
Key facts
- Three parts: Header, payload, and signature, each Base64URL encoded
- Stateless: No server-side session required; verification is purely cryptographic
- Expiry (exp claim): Short-lived tokens reduce the window of exposure if one is stolen
For builders
JWTs are common in microservices and SPAs where stateless auth reduces latency. The main pitfall is failing to verify signatures or using the ‘none’ algorithm; always validate the algorithm explicitly and keep secret keys rotated.
Sources
- IETF. RFC 7519: JSON Web Token (JWT). datatracker.ietf.org
- IETF. RFC 6749: The OAuth 2.0 Authorization Framework. datatracker.ietf.org
- IETF. RFC 8725: JSON Web Token Best Current Practices. datatracker.ietf.org
- OWASP. API Security Top 10 (2023). owasp.org
- OpenID Foundation. OpenID Connect specification. openid.net
