Posts Categories Portfolio

Contents

What is JWT

Deep included in Web
   783 words   4 minutes 
/posts/what-is-jwt/featured-image.jpg

What is JWT? JWTs have become an indispensable part of modern application development. In this blog, we’ll explore what JWTs are, why they’re so widely adopted, and how they work under the hood.

Here, we’ll be discussing JWTs primarily in the context of web applications, but keep in mind that JWTs can be used in various other scenarios as well.

1 What is JWT?

JWT stands for JSON Web Token (JWT), a compact and self-contained way for securely transmitting information between parties as a JSON object.

It is important to note that JWT is used for authorization, not authentication. A typical login is an example of the authentication process; however, authorization ensures that the user who sends the request is the one authenticated during the login process and has access to the services. Traditionally, authorization involves creating a session for the user on the server side and setting a session ID on the client side (a browser). When the user sends a request along with the session ID, the server checks if that session exists, deciding whether to authorize or not.

In contrast, a JWT token is created after authentication and sent to the client, where it gets stored on the device (in local storage or a cookie) without saving any data on the server side. This saved JWT is then included in every user request, confirming that it is the same user who logged in. So, how does the server know? Let’s discuss.

2 How does JWT work?

JWT consists of three parts:

  1. Header Contains metadata about the token, such as the type of token (JWT) and the signing algorithm used (e.g., HS256).
  2. Payload Contains the claims or the actual data being transmitted, such as user information and token expiration time.
  3. Signature Used to verify that the token has not been altered. It is created by encoding the header and payload and signing them using a secret or private key.

2.1 Example of a JWT

A typical JWT looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikp
vaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.
KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30

This token has three parts, separated by dots (.):

  1. Header (Base64Url encoded):

    {
  "alg": "HS256",
  "typ": "JWT"
}

  2. Payload (Base64Url encoded):

    {
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

  3. Signature:

    generated using a secret key
Note
You can self-explore JWTs by pasting a token into jwt.io. This tool allows you to decode, inspect, and understand each part of the JWT interactively.

2.2 How does the Server perceives a JWT?

When a server receives a request with a JWT, it does not need to look up any session or user data in a database. Instead, the server simply:

  1. Extracts the JWT from the request (usually from the Authorization header).
  2. Decodes the token to separate the header, payload, and signature.
  3. Verifies the signature by using the header’s algorithm and a secret key (known only to the server). The server re-generates the signature from the header and payload, then compares it to the signature part of the JWT.
  4. If the signature matches, the token is considered valid—meaning the payload has not been tampered with and the request is from an authenticated source.
  5. The server can now trust the claims in the payload and execute the relevant business logic (such as granting access to protected resources).

This stateless approach allows for scalable and efficient authorization, as the server does not need to maintain session state or perform additional database checks for each request.

JWT Expiry and State
Once a JWT is created, it remains valid until its expiration time (exp claim) is reached. Even if you delete the token from browser storage, it is still usable elsewhere until it expires. To track or revoke JWTs before they expire, you can maintain a blacklist in your database. However, this introduces extra database calls and undermines the stateless nature of JWTs. Use this approach only when necessary and with careful consideration.
3. Real-World Use Cases of JWT

JWTs are widely used in various authentication flows and web architectures. Here are some common use cases:

  • Single Sign-On (SSO): JWTs allow users to authenticate once and access multiple applications or services without logging in again.
  • REST APIs: JWTs are commonly used to authorize API requests by attaching them to the Authorization header.
  • Microservices: In distributed systems, JWT can be used to securely pass user identity between services.
  • Mobile Apps: JWTs work well in mobile environments where sessions are not feasible or scalable.

4 Conclusion

JWTs provide a secure, compact, and stateless way to handle authorization in modern web applications. By understanding how JWTs work and their advantages over traditional session-based authentication, you can design more scalable and efficient systems. However, always consider the security implications and best practices when implementing JWTs in your applications.

Updated on 2025-07-25
 JWTJSON Web TokenAuthorizationAuthentication
Back | Home