β What is a JWT (JSON Web Token)?
JWTΒ Β is a compact, URL-safe token format used to securely transmit information between parties, especially in OAuth 2.0 and OpenID Connect authentication flows.
π JWT Structure
A JWT is made of three parts, separated by dots:
Example:
𧩠JWT Parts Explained
| Part | What It Contains |
|---|---|
| Header | Algorithm & token type (HS256, JWT) |
| Payload | Claims: user ID, roles, expiration, etc. |
| Signature | Signed hash (verifies token integrity) |
π JWT in OAuth 2.0
In OAuth 2.0, JWT is often used as the Access Token or ID Token, especially in OpenID Connect.
OAuth 2.0 Flow with JWT:
- User logs in via OAuth 2.0
- Auth server returns JWT token (access token or ID token)
- Client sends JWT with each request:
- Resource server verifies JWT (signature + expiry)
- If valid β grant access to protected resource
β Benefits of JWT
| Benefit | Description |
|---|---|
| π Self-contained | Includes all required info (user, role, exp) |
| β‘ Fast | No DB call needed to verify user session |
| π¦ Compact | Easily fits in headers, cookies |
| π Stateless | No session storage on server |
β οΈ Important Tips
- Validate signature using a secret key or public/private key pair
-
Check expiration (
expclaim) to avoid using stale tokens - Do not store sensitive data (like passwords) in JWT
β Summary
| Term | Meaning |
|---|---|
| JWT | JSON Web Token β self-contained token used in OAuth 2.0 |
| Use Case | Secure API access, user sessions, authorization |
| Not JOT | JOT is just a mispronunciation of JWT π |