JWT Explained in 4 Minutes

# JWT Explained in 4 Minutes ![rw-book-cover](https://media2.dev.to/dynamic/image/width=1000,height=500,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8wiw2dbjerzq6br66qv8.png) ## Metadata - Author: [[DEV Community]] - Full Title: JWT Explained in 4 Minutes - Category: #articles - Summary: JWT, or JSON Web Token, is a widely used user authentication standard for securely transmitting information between a client and server in JSON format. The JWT consists of three parts: the header, payload, and signature, each base64 encoded. The process involves authentication, token generation, sending the token to the client, sending it back to the server, verifying the token, and authorizing the request. JWTs offer advantages like lightweight portability and protection against tampering but have drawbacks such as the need to manually invalidate non-expired tokens on the server side and the potential risk of intercepted tokens providing full access to sensitive information. - URL: https://dev.to/jaypmedia/jwt-explained-in-4-minutes-with-visuals-g3n ## Highlights - A JSON Web Token consists of 3 parts separated by a period. The header, the payload, and the signature. ([View Highlight](https://read.readwise.io/read/01k2qph97hsb7wy1fatq2j2wva)) - Header The header consists of token type, which is JWT, and the signing algorithm used, such as HMAC SHA256 or RSA. { "typ": "JWT", "alg": "HS256" } ([View Highlight](https://read.readwise.io/read/01k2qq52fkry9zzpardytc63aw)) - Payload The payload consists of the claims. Claims are statements about the user, and additional data. For example, we have the time the token was issued at. We also have its expiration time, because tokens should expire. { "iss": "example_issuer", "sub": "user_id123", "exp": 1644768000, "iat": 1644744000 } ([View Highlight](https://read.readwise.io/read/01k2qq9292hfa828w8hk0rn67b)) - Signature The signature is most important part of a JWT. It is calculated using the header, the payload, and the secret, which are fed to the signing algorithm to use. signature = HMAC-SHA256(base64urlEncode(header) + "." + base64urlEncode(payload), secret_salt ) ([View Highlight](https://read.readwise.io/read/01k2qq9p4qxk3fyrk3mqbzge22)) - The steps involved in a typical JWT authorization flow are as follows: **1- Authentication:** The user signs in using username and password, or using for example Google or Facebook. The server verifies the provided credentials. **2- Token Generation & sending token to client:** The server will generate the JWT and send it to the client, which stores it for future use. ([View Highlight](https://read.readwise.io/read/01k2qqavzy0012r6wwb4v52zvj)) - **3-Sending the Token to server:** When the client wants to access a protected resource on the server, it sends the JWT in the Authorization header of the HTTP request. axios.get(URL, { headers: { 'Authorization': 'Bearer ' + token, }, }) ([View Highlight](https://read.readwise.io/read/01k2qqb4yqze9cwjp4q7sbq791))