Understanding JWTs (JSON Web Tokens)
A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
JWT Structure
A JWT typically looks like `xxxxx.yyyyy.zzzzz`. It consists of three parts separated by dots:
1. Header
Consists of the token type (JWT) and the signing algorithm (e.g., HMAC SHA256 or RSA).
2. Payload
Contains the "claims" (statements) about an entity (typically, the user) and additional data.
3. Signature
Used to verify that the message wasn't changed along the way. Created using the encoded header, payload, and a secret.
Common Claims
- iss (Issuer): Identifies the principal that issued the JWT.
- sub (Subject): Identifies the principal that is the subject of the JWT (usually User ID).
- exp (Expiration Time): Identifies the expiration time on or after which the JWT must not be accepted.
- iat (Issued At): Identifies the time at which the JWT was issued.
Security Warning
Do not put sensitive information (like passwords) in the Payload elements. JWTs are encoded, not encrypted. Anyone who sees the token can decode it and see the payload content.