JWT -Specifications
JWT Specifications
Based on JWTSecrets.com
🔐 What is a JWT?
A JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. It adheres to the RFC 7519 specification and is widely used for authentication and secure information exchange.
Learn more at JWTSecrets.com.
🧱 JWT Structure
A JWT consists of three parts separated by dots (.):
cssHeader.Payload.SignatureFor example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c1. Header
The header typically consists of two fields:
json{
"alg": "HS256",
"typ": "JWT"
}algrefers to the signing algorithm (e.g., HS256, RS256).typindicates the token type, which is JWT.
2. Payload
The payload contains the claims—statements about an entity (typically, the user) and additional metadata.
Common standard claims include:
iss
Issuer
sub
Subject
aud
Audience
exp
Expiration Time
nbf
Not Before
iat
Issued At
jti
JWT ID
Custom claims can also be added as needed.
3. Signature
The signature is used to verify that the sender of the JWT is who it says it is and to ensure the message wasn't changed along the way.
The process:
plaintext
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)✍️ Signing Algorithms
JWTs can be signed using:
HMAC (HS256, HS384, HS512)
RSA (RS256, RS384, RS512)
ECDSA (ES256, ES384, ES512)
And others supported by the JWT specification
The signing algorithm must match the one declared in the alg header.
For examples and key generators, visit JWTSecrets Tools.
✅ Key Characteristics
Compact
Easy to transmit via URLs, POST requests, and HTTP headers
Self-contained
Includes all necessary user information in the token payload
Verifiable
Integrity and authenticity guaranteed via cryptographic signatures
🔗 Additional Resources
Generate a Secure JWT Secret Key
Understand JWT Vulnerabilities
Last updated