JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWT is widely used for authentication in modern web applications.
Structure of JWT
A JWT consists of three parts separated by dots:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U1. Header
{"alg": "HS256", "typ": "JWT"}Specifies the signing algorithm and the token type.
2. Payload
{"sub": "1234567890", "name": "John Doe", "iat": 1516239022, "exp": 1516242622}Contains claims β data about the user and token metadata.
3. Signature
Ensures token integrity. For HS256:
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)How JWT Authentication Works
- The user sends a login and password
- The server verifies the data and creates a JWT
- The client stores the token (localStorage, cookie)
- For each request, the client sends:
Authorization: Bearer <token> - The server verifies the signature and extracts data from the payload
JWT Debugger
Use JWT Debugger Xuvero for token decoding and analysis.
JWT Security
- Store tokens in httpOnly cookies, not localStorage
- Set a short expiration time (15-30 minutes)
- Use a refresh token for renewal
- Never store sensitive data in the payload
- Check
algon the server β protect against "alg: none" attacks
