# JWT -Specifications ## JWT Specifications *Based on* [*JWTSecrets.com*](https://jwtsecrets.com/specifications) ### 🔐 What is a JWT? A **JWT (JSON Web Token)** is a compact, URL-safe means of representing claims to be transferred between two parties. It adheres to the RFC 7519 specification and is widely used for authentication and secure information exchange. Learn more at [JWTSecrets.com](https://jwtsecrets.com/). *** ### 🧱 JWT Structure A JWT consists of three parts separated by dots (`.`): ``` cssHeader.Payload.Signature ``` For example: ``` eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c ``` #### 1. Header The header typically consists of two fields: ```json json{ "alg": "HS256", "typ": "JWT" } ``` * `alg` refers to the signing algorithm (e.g., HS256, RS256). * `typ` indicates the token type, which is JWT. #### 2. Payload The payload contains the claims—statements about an entity (typically, the user) and additional metadata. Common standard claims include: | Claim | Description | | ----- | --------------- | | `iss` | Issuer | | `sub` | Subject | | `aud` | Audience | | `exp` | Expiration Time | | `nbf` | Not Before | | `iat` | Issued At | | `jti` | JWT ID | Custom claims can also be added as needed. #### 3. Signature The signature is used to verify that the sender of the JWT is who it says it is and to ensure the message wasn't changed along the way. The process: ```plaintext plaintext HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) ``` *** ### ✍️ Signing Algorithms JWTs can be signed using: * **HMAC (HS256, HS384, HS512)** * **RSA (RS256, RS384, RS512)** * **ECDSA (ES256, ES384, ES512)** * And others supported by the JWT specification The signing algorithm must match the one declared in the `alg` header. For examples and key generators, visit [JWTSecrets Tools](https://jwtsecrets.com/). *** ### ✅ Key Characteristics | Feature | Description | | ------------------ | ------------------------------------------------------------------ | | **Compact** | Easy to transmit via URLs, POST requests, and HTTP headers | | **Self-contained** | Includes all necessary user information in the token payload | | **Verifiable** | Integrity and authenticity guaranteed via cryptographic signatures | *** ### 🔗 Additional Resources * [What is a JWT?](https://jwtsecrets.com/) * Generate a Secure JWT Secret Key * Understand JWT Vulnerabilities * [Specifications Reference](https://jwtsecrets.com/specifications)