JWTs
JSON Web Tokens
They contain three sections, separated by a .
They only contains characters from a base64-encoded set: A-Za-z0-9-_
The first two segments start with eyJ
It's base64-encoded JSON
eyJ = base64("{)
- Standardized format -> you'll see it all over the place
- Allows you to send JSON payloads between systems, securely (this is the main use case of JWTs)
- Uses digital signatures -> proof that a trusted party created the token and no one has tampered with it
Sections:
- Header: describes the token itself -- how to read and validate it
- Payload: the token's data as a JSON object -- contains claims about the entity
- Signature: generated using the data from the header + payload, base64-encoded signature value, length varies based on algorithm and key
Claims -> statements about an entity, made by the token's creator, about a user or service
Use cases!
- JWTs are not that useful by themselves, but they open a world of possibilities when combined with OAuth or OpenID Connect (OIDC)
- JWTs are use by APIs to authenticate clients