A JSON Web Token (JWT) is an internet standard for representing claims securely between two parties. 1 JWTs contain three parts: the header, the payload, and the signature. They are joined together by . to create a JWT like: aaaaaa.bbbbb.ccccc.

Example JWT

Decoded
Header

{
    "alg": "HS256",
    "type": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
)

Encoded

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

When to use a JWT?

  • Authorization - After a user logs in the server returns a JWT. The user includes the JWT in each additional request to authorize their requests. JWT tokens are commonly used in Single Sign On setups because it can prevent CORS issues.

https://jwt.io/introduction
https://auth0.com/learn/json-web-tokens/
https://gorails.com/episodes/api-auth-with-json-web-tokens-and-knock
https://gorails.com/episodes/jwt-authentication-from-scratch-with-rails
https://gorails.com/episodes/jwt-with-devise
https://en.wikipedia.org/wiki/JSON_Web_Token
https://fusionauth.io/learn/expert-advice/tokens/anatomy-of-jwt
https://stackoverflow.com/questions/55389211/string-based-data-encoding-base64-vs-base64url
https://www.sitepoint.com/introduction-to-using-jwt-in-rails/
https://github.com/jwt/ruby-jwt

References:

  1. https://jwt.io/