What is JWT
JWT (JSON Web Token, pronounced “jot”) is a compact format for securely exchanging information between two systems. Standardized in RFC 7519, it is primarily used for authentication and authorization in web applications.
The problem JWT solves: Traditional session-based authentication required storing session information on the server side. With JWT, the server becomes stateless, improving scalability.
JWT Structure
JWT consists of three parts, each Base64URL encoded and concatenated with dots (.).
flowchart LR
subgraph JWT["xxxxx.yyyyy.zzzzz"]
H["Header"]
P["Payload"]
S["Signature"]
end
H --- P --- S
1. Header
{
"alg": "HS256",
"typ": "JWT"
}
2. Payload
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1705234800,
"exp": 1705238400
}
3. Signature
The header and payload signed with a secret key.
Important: The JWT payload is only Base64URL encoded, not encrypted. Do not include sensitive information in the payload.
Access Tokens and Refresh Tokens
| Type | Access Token | Refresh Token |
|---|---|---|
| Purpose | API access authentication | Renewing access tokens |
| Expiration | Short (15 min - 1 hour) | Long (7 - 30 days) |
| Storage | Memory or short-lived Cookie | HttpOnly Cookie |
Security Best Practices
- Set appropriate expiration times
- Use strong secret keys
- Explicitly specify the algorithm
- Store in HttpOnly Cookies
- Don’t include sensitive information
Summary
JWT is a powerful tool for achieving stateless authentication. By understanding its structure and implementing it properly, you can build secure and scalable authentication systems.
← Back to list