Tech Glossary

JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWT is widely used in authentication and authorization mechanisms, particularly in web applications, due to its compact, self-contained, and tamper-evident structure.

JWTs consist of three main parts:

Header: Specifies the token type (JWT) and signing algorithm (e.g., HMAC or RSA).

Payload: Contains claims about the user or entity, such as user ID and permissions. Claims are statements about an entity (usually the user) and additional data.

Signature: Created using the header and payload, along with a secret key or a private key for asymmetric algorithms, the signature ensures token integrity and prevents tampering.

JWTs offer several advantages:

Stateless Authentication: JWTs do not require a session on the server, making them ideal for scalable, stateless systems.

Portability: JWTs are compact and easily transmitted in HTTP headers, making them suitable for mobile and web applications.

Security: Signed JWTs can be verified, ensuring that they haven’t been altered.

JWTs are primarily used in OAuth 2.0 flows, where they provide access tokens for client-server authentication. While JWTs are secure when properly implemented, improper handling (e.g., weak secrets or failure to validate tokens) can expose systems to security risks, so secure token practices are essential.