A JSON Web Token (JWT) is an internet standard for representing claims securely between two parties. JWTs contain three parts: the *header*, the *payload*, and the *signature*. They are joined together by `.` to create a JWT like: `aaaaaa.bbbbb.ccccc`.

Example JWT

Decoded

Header

{
  "alg": "HS256",
  "type": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
)

Encoded

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

When to use a JWT?

– Authorization – After a user logs in the server returns a JWT. The user includes the JWT in each additional request to authorize their requests. JWT tokens are commonly used in Single Sign On setups because it can prevent CORS issues.

Links

https://jwt.io/introduction

https://auth0.com/learn/json-web-tokens/

https://gorails.com/episodes/api-auth-with-json-web-tokens-and-knock

https://gorails.com/episodes/jwt-authentication-from-scratch-with-rails

https://gorails.com/episodes/jwt-with-devise

https://en.wikipedia.org/wiki/JSON_Web_Token

https://fusionauth.io/learn/expert-advice/tokens/anatomy-of-jwt

https://stackoverflow.com/questions/55389211/string-based-data-encoding-base64-vs-base64url

https://www.sitepoint.com/introduction-to-using-jwt-in-rails/

https://github.com/jwt/ruby-jwt