What are JSON Web Tokens (JWT)

Understand the details of JWT, JWK, and JWE.

We'll cover the following

Overview

We have two parties, the client and the server, involved in many applications. We need to pass information back and forth between them. Otherwise, the app we’re creating will be completely useless.

If we use a TLS secured HTTPS connection (see the lesson Authentication). we need some integrity checks. It isn’t always some external party that wants to steal our data or gain access to the application. One of our regular users may try to gain access to data that they shouldn’t have.

Ift we need to communicate some data over an unsecure connection, it should ideally be encrypted to keep it safe from prying eyes. Fortunately, there is an easy solution that is compatible with a lot of technologies for those cases: JSON Web Token (JWT) and its derivatives.

JSON Web Tokens

The Internet Engineering Task Force (IETF) standardized a set of related concepts:

  • JSON Web Signature (JWS): A means of representing secured content with a digital signature or MAC (Message Authentication Code).

  • JSON Web Keys (JWK): These are JSON data structures that represent a set of public keys.

  • JSON Web Encryption (JWE): A means of representing encrypted content using JSON data structures.

  • JSON Web Tokens (JWT): Defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

Let’s start with JWS before we get to anything that has to do with tokens.

JWS provides a means of transmitting content to the other party by which we can guarantee the content’s integrity, use modern constructs (JSON in contrast to old-school XML), and use Base64 encoding to be HTTP-safe.

The structure of the message we create and send is fairly simple: <Header>.<Payload>.<Signature>.

  • <Header> supplies us with information about how the signature is generated and whether we are using encryption. We can put any information into the header that we feel is needed for our use case.

  • <Payload> is the information that we want to transfer. We can do this without encryption if the data doesn’t contain any highly sensitive information. If we need to be sure that no one other than the intended target party can read it, it will need to be encrypted.

  • <Signature> A signature is used to verify integrity.

Get hands-on with 1400+ tech skills courses.