JWT

This article is a stub. You can help the IndieWeb wiki by expanding it.

JWT (JSON Web Token) is a method of encoding and signing JSON data in a URL-safe string.

While JWT is actually designed to represent auth "claims," it can also serve as a general-purpose signing method ignoring all well-defined property names in the spec.

An example JWT in its encoded format looks like the below:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ
zdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4
gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJ
SMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Extracting the contents of the above JWT results in the JSON object below:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

NOTE: You must validate the signature of the JWT before using the data in the claims, otherwise people can easily hack your software! If you don't validate the signature, anyone can create a similar-looking JWT and do things like replace usernames to log in as other people.

Resources

• jsonwebtoken.io
• Ruby Implementation
• PHP Implementation
• My Favorite Database is the Network
• Stop Using JWT for Sessions

See Also

• Self-Encoded Tokens