in Technical 396 Words

What is JWT?

This post explains what JWT is, without getting into technical details you don’t need to know. Intention of the post is to dispel some harmful misconceptions.

In short, JWT is just a piece of data signed by someone. It doesn’t do much as-is but it’s a key building block useful in many applications.

What JWT Looks Like

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

If you look carefully, it’s basically three gibberish text separated by a period. Th role each part plays are:

Header.Payload.Signature

They look gibberish because they are encoded. Important part is the payload. Rest is there to describe (header) and protect (signature) the payload.

What Each Part Does

Header primarily describes (using JSON) how the Payload was signed so the Signature can be verified.

{
 "alg": "HS256",
 "typ": "JWT"
}

Payload is a collection of name-value pairs presented as JSON like this:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

Signature protects both the Header and the Payload so that neither can be changed without detection.

Key Points About JWT

  • JWT doesn’t say anything meaningful about its sender, recipient nor signer as-is.
  • JWT is not encrypted as-is.

This is not to say JWT can’t but they have to be added. Allow me to go into a bit more detail on each points.

JWT doesn’t say anything meaningful about its sender, recipient nor signer as-is.

JWT typically includes some info on its signer so the signature can be verified but that only proves it was signed by someone who can prove they signed it. Unless the signer is known that is. How one know calls for relationship and/or infrastructure.

Same goes for sender and recipient. To verify sender or recipient, more has to be built-on top of JWT.

JWT is not encrypted as-is.

JWT is typically sent unencrypted over a secure channel of communication to a recipient but it may even be printed plainly using QR-code in newspapers. If you need to protect the token, encrypt it whole in  way that only the recipient can decrypt it. If only part of the payload needs to be protected, then encrypt just the value.

Follow up series of posts will discuss how to build with JWT to solve some common problems like protecting APIs or delegated authorization in a mobile app without issues OAuth has. Stay tuned.