JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. A JWT consists of three parts: Header, Payload, and Signature, separated by dots.
How a JWT Token is Formed
A JWT token is composed of three parts:
Header: This typically consists of two parts: the type of the token (JWT) and the signing algorithm (e.g., HS256).
Payload: Contains the claims. These can be registered (like iss, exp, sub, iat), public, or private claims.
Signature: Created by encoding the header and payload, concatenating them with a dot, and signing the result using a secret key and the specified algorithm.
The result is a string with three base64url-encoded components separated by dots: header.payload.signature.
How JWT is Verified
To verify a JWT, the recipient uses the same secret and algorithm as the sender to recompute the signature over the received header and payload. If this computed signature matches the one in the JWT, the token is considered authentic and untampered.
Why JWT is Safe
The safety of JWT comes from the use of a secret key or public-private key pair to generate the signature. Without knowing the exact secret or the private key, it is practically infeasible to forge a valid token. JWT also supports expiry (exp) and issued-at (iat) timestamps to prevent replay attacks and ensure the token is used within a valid time window.