JWT (JSON Web Token) is a compact, secure way to transmit information between two parties — usually a client (like a browser or mobile app) and a server — as a JSON object. It’s commonly used for authentication and authorizationin web applications.

Structure of a JWT

Codeflare

A JWT is made up of three parts, separated by dots (.):

xxxxx.yyyyy.zzzzz
  • Header
  • Payload
  • Signature

1. Header

The header contains metadata about the token, like the type (JWT) and the algorithm used for signing (e.g., HS256).

Example:

{
  "alg": "HS256",
  "typ": "JWT"
}

This is then Base64Url-encoded to form the first part of the token.

2. Payload

The payload contains the actual data (claims) you want to transmit, such as user info or token expiry time.

Example:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "exp": 1739700000
}

Types of claims:

  • Registered claims: predefined fields like iss (issuer), exp (expiration), sub (subject), aud (audience).
  • Public claims: custom data, e.g., name, role.
  • Private claims: application-specific data shared between two parties.

This part is also Base64Url-encoded.

3. Signature

To ensure the token wasn’t tampered with, the server signs it using a secret key (or a private key in asymmetric cryptography).

For example:

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

The output is encoded again, forming the third part of the token.

Example JWT

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

How JWT Works (Authentication Flow)

  1. User logs in → The server validates credentials.
  2. Server creates a JWT → Signs it using a secret key.
  3. Server sends the token to the client.
  4. Client stores the token (usually in localStorage or cookies).
  5. For each request, the client sends the token in the Authorization header:
Authorization: Bearer <token>

6. Server verifies the token → If valid, grants access to protected routes/resources.

Advantages

  • Stateless: No need to store sessions on the server.
  • Compact: Easy to transmit in URLs, headers, or cookies.
  • Cross-platform: Works with any language that supports JSON.

Disadvantages

  • Cannot be revoked easily: Once issued, a JWT is valid until it expires.
  • Larger than traditional session IDs.
  • Sensitive data must never be stored inside the payload (even though it’s encoded, it’s not encrypted).

Example in Node.js

Using jsonwebtoken package:

const jwt = require('jsonwebtoken');

// Generate a token
const token = jwt.sign({ userId: 123, role: 'admin' }, 'secretkey', { expiresIn: '1h' });

// Verify a token
try {
  const decoded = jwt.verify(token, 'secretkey');
  console.log(decoded);
} catch (err) {
  console.error('Invalid token');
}

Recent Posts

API Design Principles

How to Build APIs That Are Easy to Use, Scale, and Maintain Learn on the…

4 days ago

JavaScript vs Your Expectations

Almost everyone starts learning JavaScript with the wrong expectations. Let's fix them. Download the Codeflare…

2 weeks ago

Introduction to Phaser JS

Phaser JS is a powerful, open-source HTML5 game development framework used for creating 2D games that…

2 weeks ago

Web Authentication Libraries

JavaScript / Node.js Authentication Libraries 1. Passport.js One of the most popular authentication middleware libraries…

2 weeks ago

The Things They Carry: Software Developers Starter Packs

Every profession comes with its own set of tools. A carpenter has a toolbox, a…

2 weeks ago

CRUD Operations: The Foundation of Data Management

Every application that stores and manages data relies on a set of basic operations known…

4 weeks ago