Looking Inside a JSON Web Token
Get to know the JSON web token in depth.
In the previous lesson, we looked at how to use the flask_extended_jwt
Python package to create tokens and how to use those tokens to communicate with the Flask API.
Structure of an access token
The tokens themselves were inscrutable sequences of characters, such as:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
What does this mean? Is this just the username information encrypted? This access token looks encrypted because it’s a jumble of symbols, but it’s not. Rather, it’s just encoded, meaning that it can be decoded without requiring a secret key.
Decoding the token
The JWT website provides a debugger tool for checking the access token. We paste the string there and see what it says. It pulls out the header, the payload, and the signature. However, it’s unable to verify the signature until we enter the secret with which the token was signed.
Note: The JWT site is safe to use since the computation happens in your own browser, and no information is actually sent to the server.
In the above example, the secret key is the value stored in app.config['JWT_SECRET_KEY']
when the create_access_token
method was called. Once this secret is entered into the website, the signature is verified.
Get hands-on with 1400+ tech skills courses.