JSON Web Tokens(JWT)

What do JWTs look like?

Since JWT is basically used for managing authorization the main idea behind that is to create a standard way to communicate with two parties securely.

When to use JWTs

JWTs can be used in various ways.

1. Authorization

Once the user/client successfully authenticates for the system by using a username or password, each subsequent request must pass the JWT which will allow the user to access routes, services, or resources (e.g., APIs).

2. Information Exchange

JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be sure that the senders are who they say they are. Additionally, the structure of a JWT allows you to verify that the content hasn’t been tampered with.

How actually JWT Works in the real world?

JWT work Flow in real world
Authorization: Bearer <token>

What is the JWT structure?

Sample JSON Web Token (Figure 1)
  • Header
  • Payload
  • Signature


The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

Sample — Header (Bas64 Decoded) (Figure 2)


The second part of the token is the payload, which contains the claims. Claims are statements about an entity. There are three types of claims

  • Registered claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims.
  • Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined
  • Private claims: These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.
Sample — Payload (Bas64 Decoded) (Figure 3)


Signature is the most important part of this token and it is the only part that is hidden from the public. Because to generate this signature server will user security key and that key will only know by the server.

Sample — Signature (Figure 4)

JWT = Encoded Header + Encoded Payload + Secret Key

If you want to play with JWT and put these concepts into practice, you can use jwt.io.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kalana Tebel

Kalana Tebel

A Computer Science enthusiast. Software Engineer. Full Stack developer. Music Lover