What is JWT (JSON Web Token)?

Reading Time: 3 minutes

What is JSON Web Token (JWT)?

JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between two parties as a JSON object. This information is digitally signed so it can be trusted an verified. JWT signed using a secret key (with the HMAC algorithm) or a public/private key using RSA or ECDSA. JWT can be encrypted to also give secretiveness between two parties, we will  concentrate on on signed  tokens. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key, the signature also verifies that only that party hold the private key is the one that signed it.

JSON Web Token structure

JSON Web Tokens made of three parts separated by dots (.), which are:

  • Header
  • Payload
  • Signature

a JWT typically looks like the following.


The header consist of two parts: Type of the token, which is JWT, and the algorithm which is used, such as SHA256, RSA or HMAC.


The second part of the token is payload, which contains claims. Claims are statements about an entity (user) and additional data.

There are three types of claims:-

  1. registered

  2. public

 3. private claims.

  • Registered claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and others. the claim names are only three characters long as JWT is meant to be compact.

  • Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.

  • Private claims: These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.


To create the signature part you have to take the encoded header, encoded payload, secret, the algorithm specified in the header, and sign that.

For example if you want to use the SHA256 algorithm, the signature will be created in this way:

This signature is used to verify the message was not changed, and in the case of tokens signed with a private key, it also verify that the sender of the JWT.

finally our token look like as:-

How JSON Web Tokens work?

In authentication, when the user successfully log-In using their credentials, then a JSON Web Token will return. tokens are credentials, so we need to take care of prevent security issues. generally, you should not keep tokens longer than required.

When a user wants to access a protected route or resource, the user should send the JWT, typically in the Authorization header using the Bearer schema. for example:-

Authorization: Bearer <token>

This can be, a stateless authorization mechanism. server will check for a valid JWT in the Authorization header, if it is present, then the user will be allowed to access resources.


In this tutorial We covered about JWT(JSON Web Token) . It helps to authenticate users and sharing sensitive information while not maintaining the state. A Web token consist of three parts: Header
Payload and Signature.

Refrences:- https://jwt.io/introduction

Written by 

I'm a Software Consultant at Knoldus Inc. I have done Post Graduation from Quantum University Roorkee. I have knowledge of various programming languages. I'm passionate about Java development and curious to learn Java Technologies. I'm always ready to learn new technologies and my hobbies are cricket and action movies.