What is JWT Token?

A JWT stands for Json Web Token. It’s simply a token which is used between the request-response cycle of API calls.

What exactly JWT does in Request-Response of a API calls?

It is used for the authorization of users. This JWT contains information about the logged-in user. So in every API call, the server knows who is the user requesting the service and based on his permissions it gives access to requested services.

So now you know what JWT is. one interesting fact of JWT is, it is not stored on the server but on the client-side, it is stored in cookies. Let's see the detailed structure and function of JWT.

Structure of JWT :

The JWT is simply divided into three segments as shown in the figure below.
each segment has its own identity and value.

This is JWT

You can see in the picture below that JWT is divided into three segments :

1.Header: Red Segment is Header and contains information about the type of algorithm used to encode and type of token. As of now, there is only JWT in future there may be chances of other kinds of tokens also.

2.Payload: The violet coloured segment is called payload. It contains the information of the user and other details like token issued at →”iat”, token expired at → ”eat”.

3.Verify-Signature: The blue coloured segment is the verify signature. It contains the encoded information of Header and Payload.

Now you came to know the structure of JWT, Let's see the in-depth function of JWT.

headerkey  =  base64(Header)
Payloadkey = base64(payload)
verify-signature = HMACSHA256(secretkeyenc(headerkey + payloadkey) )JWT : headerkey.payloadkey.verify-signature

Security in JWT :

Now you know how the three segments of JWT are formed. You have a doubt that header and payload are encoded using base64 and can be decoded easily by base64 which is universally available.

Then how a JWT is safe even it exposes the info of the user.

Here comes the play of verify-signature of JWT. Even if anyone knows the payload and header encode them and create a JWT with them the verify-signature will differ and the API call request gets rejected thus the security is maintained.

Generally, What happens is when a JWT is received a server decodes the verify-signature with its secret key which is not exposed to anyone except the server. After decoding the resultant is checked for user details. If anyone sent a created by just knowing payload and header the decoded info will differ, it fails at server maintaining the security.

What if anyone knows our JWT :

If anyone knows our JWT and uses the service like you, then you have to raise a request to the server then the particular JWT is marked in Blacklist and checks during the API call request-response cycle if the found API call request is blocked.

After you authenticated (login) again a new JWT is given and used for your API request-responses.

General JWT Request-Response Lifecycle

— — — — — — — — — — — dedicated to Rajath — — — — — — — — — — — —