Highlight

Expert → Senior Intermediate → Mid-Level JavaScript

Understanding JWT: Basics, Security, and Use Cases

My previous blog posts covered topics like cookies and CSRF attacks. Today, I want to share what I’ve learned about JWTs — a topic that came up during a job interview where I was asked about their security. Since it’s quite a bit lengthy, this post will focus on the fundamentals of JWTs.

  1. What is JWT?
  2. How JWT Ensures Security
  3. Use Cases
  4. The Structure of JWT
  5. How JWT works

What is JWT?
JWT stands for JSON Web Token, an open standard (RFC 7519) for securely transmitting information between two parties, such as a client and a server. As the name implies, the data within a JWT is formatted as a JSON object.

RFC 7519

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

How JWT Ensures Security
To protect the transmitted JSON data, JWTs are cryptographically signed using:

  • HMAC (Hash-based Message Authentication Code)
  • RSA or ECDSA (Asymmetric cryptographic algorithms)

Encrypted tokens hide the data so only those with the decryption key can read it. In contrast, JWTs commonly use signed tokens, where the data inside the token (called “claims”) is visible to anyone with the token. However, signing ensures the integrity of the token, confirming it hasn’t been tampered with. When using a private/public key pair, the private key is used to sign the token, and the public key is used to verify its authenticity.

Use Cases
Authorization:
After a user logs in, JWTs are included in subsequent requests to allow access to specific routes, services, or resources permitted by the token. JWTs are commonly used in Single Sign-On (SSO) systems due to their lightweight nature and compatibility across different domains.

Information Exchange:
JWTs provide a secure way to exchange information between parties. When signed with public/private key pairs, they ensure the sender’s authenticity and verify that the content has not been tampered with, thanks to the signature based on the token’s header and payload.

The Structure of JWT
JWT consists of three parts: HeaderPayload, and Signature. These parts are encoded separately and then combined with dots (.).

Example:

header.payload.signature

Header
The header typically consists of two parts: the type of token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.

Example:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload
The payload contains claims, which are statements about an entity (usually the user) and additional data. Some claims are predefined (registered), while others can be custom-defined.

Examples of claims:
exp (expiration time) – registered
role (e.g., “admin” or “user”) – custom

Example Payload”

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

Signature
The signature is used to verify that the message has not been tampered with. If a private key is used, the signature also ensures the sender’s authenticity.

Example of Signature Generation:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

Encoded JWT
All three parts (header, payload, signature) are Base64-URL encoded, and the final token looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30

Source:
Examples and additional details are sourced from the
JWT Documentation.

How JWT works
Add JWT to a Header
When sending a request from a client to a server (e.g., submitting a form or accessing APIs), a JWT is included in the HTTP Header in the following format:

Authorization: Bearer <token>

This token is used for authentication on the server side.

Three Parties Involved:

  1. Client
    Represents your application or browser.
    Sends an authentication request.
  2. Authorization Server
    Verifies the user’s information, such as ID or password.
    If the verification is successful, it returns a JWT to the client.
  3. Resource Server / API Server
    Receives the client’s request and checks the JWT in the Header.
    If the JWT is valid, it grants access to the requested resources or APIs.
Image description

JWT

Share this content:
Toni Naumoski

Hi, my name is Toni Naumoski, and I’m a Senior Frontend Developer with a passion for blending code and design. With years of experience as a Frontend Developer, Web Designer, and Creative Technologist, I specialize in crafting unique, responsive, and detail-oriented websites and web applications that stand out. I bring deep expertise in HTML, CSS, and JavaScript—working fluently with modern frameworks like React, Angular, and Vue, as well as animation libraries like GSAP. My creative side thrives in Photoshop and Figma, and I enjoy extending functionality using tools like Express.js and ChatGPT. My work is guided by high integrity, strong communication, a positive attitude, and a commitment to being a reliable collaborator. I take pride in delivering high-quality digital experiences that are both technically solid and visually compelling.

view all posts

Related Posts

Post Comment

You May Have Missed