TIL: JWT token structure

2022-04-08 00:00:00 +0000 UTC

JWT (JSON Web Token) is a three-part token used most prominently for stateless authentication schemes. The three parts are:

A header: identifies the algorithm and type of token
A payload: a “set of claims” asserted by the token.
A signature: a hash generated using a secret and the (base64url) encoded header and payload.

Because the signature is generated with a cryptographic algorithm using a secret (or public-key cryptography) the signature securely validates the token as long as the secret itself is, well, secret.

The token is transmitted in the format base64url(header).base64url(payload).base64url(signature). That is, each of the three parts is base64url encoded and separated from the next part by a ..

A common issue with JWT implementations is a lack of algorithm validation–specifically, an alg value of none.

An example token from JWT.io:

{
	"alg": "HS256",
	"typ": "JWT"
},
{
	"sub": "1234567890",
	"name": "John Doe",
	"iat": 1526239022
},
HAMCSHA256(
	base64UrlEncode(header) + "." +
	base64UrlEncode(payload),
	"a 256 bit secret"
)

Good explainers: Wikipedia, JWT.io.

Tags: til jwt web