JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way to securely transmit information between parties as a JSON object. JWT consists of three parts separated by dots (.):
-
Header: Contains two parts of information: the token type (typically JWT) and the signing algorithm being used (such as HS256, RS256, etc.). The Header is a JSON object that is Base64Url encoded.
-
Payload: Contains claims, which are statements about an entity (typically the user) and additional data. Claims are divided into three categories:
- Registered Claims: Such as iss (issuer), exp (expiration time), sub (subject), aud (audience), etc.
- Public Claims: Can be customized but should avoid conflicts
- Private Claims: Custom claims used to share information between parties that agree to use them The Payload is also a JSON object that is Base64Url encoded.
-
Signature: Used to verify that the message hasn't been tampered with during transmission. The signature is created by concatenating the encoded Header and Payload with a dot, then signing using the algorithm specified in the Header and a secret key.
The complete JWT format is: Header.Payload.Signature
For example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Key features of JWT:
- Compact: Can be sent via URL, POST parameters, or HTTP headers
- Self-contained: Contains all necessary information, reducing database queries
- Cross-language support: Implemented in multiple programming languages
- Stateless: Server doesn't need to store session information
JWT is commonly used for authentication and information exchange, particularly suitable for Single Sign-On (SSO) scenarios in distributed systems.