How JSON Web Tokens (JWT) Work
A look at a common format for passing verified claims between parties.
A JSON Web Token, usually shortened to JWT, is a compact, standardized way to package up information that needs to travel between two parties. If you've worked with web authentication, you've almost certainly run into one. Here's how they're structured and how they're typically used. There's a JWT decoder on this site if you want to crack one open and look inside.
Structure
A JWT comes in three parts, separated by periods: a header, a payload, and a signature. The header and payload are JSON objects encoded with a URL-safe form of Base64. The header generally spells out the token type and which algorithm signed it. The payload carries the actual statements, called claims, like who the user is and when the token expires. The signature is what lets a recipient confirm the token hasn't been tampered with.
The signature
The signature is produced by running the encoded header and payload through the algorithm named in the header, along with a secret key or a private key. When someone receives the JWT, they use the matching key to check that signature. If anyone edited the header or payload after the fact, the signature won't line up anymore and the token gets rejected. That's the whole trick: it's why the receiving side can trust the contents of a token that signs out cleanly.
How tokens are used
The classic use is keeping a user signed in. After someone logs in, the server hands back a JWT that identifies them, and their app attaches that token to each request that follows. The server checks the signature, reads the claims, and figures out who's asking and what they're allowed to do, all without keeping a stored session for every user on its end. You'll often hear this called stateless authentication.
Important considerations
Here's the part that trips people up: a JWT's header and payload are encoded, not encrypted. Anyone holding the token can read what's inside. So unless you're adding encryption on top, keep sensitive information out of the payload. The signature guarantees the token wasn't altered, but it does nothing to hide the contents. It's also standard practice to give tokens an expiration time so they're only good for a limited window, and to send them over secure connections.
Summary
To recap, a JSON Web Token is a compact bundle of header, payload, and signature. It's commonly used to pass verified claims between parties, very often for authentication. The signature is what makes the contents trustworthy, but those contents are still readable, so treat sensitive data carefully and always send tokens over a secure connection.