Overview of JWT
JSON Web Token (JWT) is a JSON-based standard (RFC 7519) that provides a secured means of exchanging claims between two parties. JWT represents claims in a compact format, which is intended for space constrained environments such as HTTP authorization headers. JWT encodes claims as JSON objects, which is used as the payload in a JWT.
JWT authentication is stateless as the user state is never saved in the server memory. JWTs are self-contained, that is, it contains all the necessary information about the user.
JWT Structure
The JWT structure is comprised of the following elements:
Header. Identifies the token type and the hashing algorithm used. In this case the token type is JWT.
Payload. Contains the JWT claims. Claims are statements about an entity (user) and the additional metadata that a user wants to transmit to server. Following are the types of claims:
Registered claims. Set of predefined claims that are not mandatory but recommended.
Public claims. Set of user defined claims.
Private claims. Set of custom claims created to share information between parties that agree on using them.
Signature. Ensures the integrity of the JWT header and payload.
Therefore, a JWT looks like: header.payload.signature.
Registered Claims
Registered claims are registered in the IANA JSON Web Token Claims registry. Following are some of the commonly used registered claims:
Claim Name | Description |
iss | Issuer Identifies the principal that issued the JWT. |
sub | Subject Identifies the principal that is the subject of the JWT. |
aud | Audience Identifies the recipients that the JWT is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim. |
exp | Expiration Time Identifies the expiration time on or after which the JWT cannot be accepted for processing. |
nbf | Not Before Identifies the time before which the JWT must not be accepted for processing. |