JSON Web Token -JWT

Currently applications allow other 3rd party applications to access its data.  This is done mostly by exposing REST Api’s

These REST API’s has to be secured. One such mechanism which supports API Security is Token Based Security.

Standard Token based security is JWT (JSON Web Token ) and lets see that in detail below

JWT is popularly called as “JOT” tokens.

Features of JWT Tokens

  1. Uses JSON for transmitting information
  2. Self contained – Carry all information
  3. Language Agnostic – Works with Python, Java , JavaScript , .NET , Node.js etc
  4. Used within HTTP header when authenticating an API

Components of JWT Token

JWT Tokens consist of three Strings separated by “.

  • Header
  • PayLoad
  • Signature


Contains 2 parts


“typ” : “JWT”

“alg” : “HS256


  • Declaring type
  • Hashing algorithm – SHA256,HMAC


Contains the JWT claims.  This section contains all information that needs to be transmitted and information about the token. This gets encoded into base64.


Claims are of 3 types

  • Registered
    • iss (Issuer)
    • sub (Subject)
    • aud (Audience)
    • exp (Expiration Time)
    • nbf (Not Before)
    • iat (Issued At)
    • jti ( JWT ID)
  • Public
    • Claim Name should be registered with IANA “Json Web Token Claims” Registry
  • Private
    • Producer and Consumer of JWT may decide to use some private claims which are not registered


Signature is the hash of

  • Header
  • Payload
  • Secret

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Cheat Sheet To JAVA Latest Technology

%d bloggers like this: