JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. It is commonly used for authentication and authorisation in modern web applications.
Structure of a JWT
A JWT consists of three parts:
- Header – Contains metadata about the token, such as the signing algorithm.
- Payload – Contains JWT Claims that convey information about the subject of the token.
- Signature – Ensures the integrity of the token using a cryptographic signature.
These three parts are base64-encoded and concatenated with dots (.) to form a complete JWT.
Authentication and Authorisation
A JWT can serve different purposes depending on the context in which it is used:
- Authentication: An ID Token is issued in OpenID Connect (OIDC) to verify a user’s identity.
- Authorisation: An Access Token is issued in OAuth 2.0 to grant access to protected resources.
JWTs are widely used due to their stateless nature, allowing scalable authentication and authorisation without needing to store session data on the server.