JWT

JWT token is a open standard for securely transmitting information between parties as json object.

JWT token consist of three parts.

1. Header
2. Payload
3. Signature

1. Header

Header consist of signing algorithm and type.

{
  "alg": "HS256",
  "typ": "JWT"
}
Copy

2. Payload

The payload contains the claims, which are statements about the user or other data

{
  "sub": "user123",
  "name": "John Doe",
  "admin": true
}
Copy

3. Signature

Signature is created using header, encoded payload, a secret, and the algorithm specified in the header.

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)
Copy

Best Practices

1. Set a reasonable expiration time on JWTs to limit the time window for potential misuse.
2. Have a mechanism to revoke or blacklist compromised tokens to enhance security.
3. Avoid storing sensitive data in the JWT payload, as the payload is easily readable once base64-decoded.