Understanding JSON Web Tokens

kzankpekzankpe
3 min read

Table of contents

One of the most popular methods for implementing secure, stateless authentication is the use of JSON Web Tokens (JWTs). Whether you are building a web application, an API, or even a mobile app, JWT can help simplify your authentication process.

What is JWT?

JWT is a compact, URL safe means of representing claims between two parties. It is a way for a server to prove that the client is who they say they are without storing session data on the server side. JWT is a string that securely transmits information as JSON object. This includes a header, a payload and a signature.

  • Header: Contains metadata about the token, such as the type of token and the algorithm used for signing (HMAC SHA256)

  • Payload: Contains the claims information about an entity (user for instance) and additional metadata. It can include standard fields like the expiration time or custom fields (needed by the system).

  • Signature: It’s created by combining the encoded header, payload, and a secret key. This ensures that the token hasn’t be altered.

By design, JWT is self-contained, it carries all the information required for authentication, eliminating the need for storing session data on the server.

How does a JWT work?

A JWT based authentication process involves the steps below:

  1. User Login: A user sends their credentials (login/password) to the server

  2. Token Issuance: Once the credentials are verified, it generates a JWT that encapsulates the user’s identity an other information. Token is sent back to the client.

  3. Client uses token: For future requests to protected routes, the client includes JWT within the HTTP Authorization header.

  4. Token verification: When the server receives a request, it extract the token, decodes it, and verifies it by using the secret. If the token is valid and not expired, the server process the request; otherwise, it send an error.

JWT composition

A JWT is made up of three parts separated by dots (.):

Header.Payload.Signature
  • Header:
{
  "alg": "HS256",
  "typ": "JWT"
}
  • Payload:
{
  "sub": "123456",
  "name": "Alex Joe",
  "iat": 1516239022,
  "exp": 1516242622
}
  • Signature:
HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

Comprehending this structure is essential for understanding how JWTs maintain data integrity and authenticity. Since any alteration to the header or the payload would result in different signature, the token is only trusted if the signature is valid.

Why use JWT?

There are several reasons for developers to use JWT in applications:

  • Stateless Authentication: It allows you to authenticate requests without storing session information on the server, useful in distributed and microservices architecture.

  • Scalability: the token carries all the data needed for authentication, scaling your application across multiple servers is easier.

  • Interoperability: JWT is not tied to any specific language or platform, which makes it a universal acceptable standard for authentication.

  • Security: When implemented correctly, JWTs help ensure that token data remains secure and tamper-proof.

Conclusion

JWTs provide a secure way to handle authentication across distributed systems. By understanding the structure of JWTs, how it is generated, and how to verify it, you can implement robust, scalable authentication in your applications.

0
Subscribe to my newsletter

Read articles from kzankpe directly inside your inbox. Subscribe to the newsletter, and don't miss out.

JWTauthentication

Written by

kzankpe
kzankpe