Skip to main content

JWT: What are JSON Web Tokens & use cases

By June 23, 2019July 17th, 2022No Comments
JWT tokens

Same old drama..

What are JSON Web Tokens? [JWT]?

JWT are tokens that you can use in your web application to transfer data over a network and therefore authenticate communication between 2 parties. A better definition is:

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties. – Source

It is a hash like encrypted string that carries data and need not be stored in the database as it has an expiry date. The basic premise is that after server authentication a JSON object is sent to the user. And when the user communicates with the server the JSON object is sent back to the server. The signing of the data contained within the token with an encryption algorithm makes it more trust worthy to the other party, therefore has a high data integrity.

These tokens are compact and can be sent as part of a POST request or as a query string in a URL. To identify/authenticate people in your (web/mobile) app, put a standards-based token in the header or url of the page (or API endpoint) which proves the user has logged in and is allowed to access the desired content.  – here

The goal of a token is to allow the end user to trust that the receiving data has not been altered in any way.  Since anyone can read a JWT private information should NOT be sent as part of a token.

Read more here

Anatomy of a JWT

A JWT consists of 3 parts:

  1. Header
  2. Payload
  3. Signature

All 3 makeup a JWT and look something like this:


 Ps: note that each part is separated by a “.”

  1. Header:

The header is base-64 encoded and contains  meta-data/a few key pieces of info about the JWT . Most commonly:

  •   Signature mechanism i.e. what encryption algorithm it contains (e.g. HMAC-256 or RSA SHA-256)
  • The type of token (JWT)

So the header looks like this:


“typ” : JWT,

“alg”:  HS256


Then this JSON object  is converted into a string using the Base64URL algorithm:

const encodedHeader = Buffer.from(JSON.stringify(header)).toString('base64');
  1. Payload

The payload is a JSON object which contains information that is to be sent to the end user.  Like the header, the payload is also base-64 encoded. The payload is also known as  “claims”. There are 3 types of claims:

  • Public claims: No 2 public claims must have the same name
  • Private claims: Has to be different to the public and registered claim
  • Registered claims: Universally defined claims for specific purposes (for example token expiry time signified by “exp” and issuer signified by “iss”)

So a payload  with 2 private claims (iss and exp) and 2 public claims (name, admin) essentially looks like this:


 "iss": "",
  "exp": 12302019,
  "name": "Kauress",
  "admin": true


Then this JSON object is  also converted into a string using the Base64URL algorithm.

  1. Secret

The 3rd part of a JWT is the secret. The secret part is simply a hash of all the content/part of a JWT  which means the “header” and the  “payload” to ensure that the data cannot be tampered with.  You need a ‘secret’ that is available only to the server and not disclosed to the user.  A JSON Web Algorithm (JWA) is used to sign the JWT.

The secret looks like this:

  base64UrlEncode(header) + "." +

4. And then what..

The 3 parts of the token are combined into a string, with each part seperated by a ‘.’ and returned to the user.

5.Uses cases

  1.  Stateless authentication
  2. Password resets
  3. Identify what resources a user can access
  4. Signature for content validation

Leave a Reply