How JWT Enables Secure, Login‑Free Friend Requests in Web Apps
This article explains the JSON Web Token (JWT) format, its three-part structure, how to encode a payload and header with Base64, sign the token using HS256, and apply the resulting JWT to a friend‑request scenario that works without requiring the recipient to log in.
What is JWT?
JSON Web Token (JWT) is a lightweight specification that allows secure transmission of information between a user and a server.
Example Scenario
When user A follows user B, the system sends an email to B with a link "Click to follow A". The original link includes query parameters and requires B to be logged in:
https://your.awesome-app.com/make-friend/?from_user=B&target_user=AUsing JWT, the operation can be encoded in a signed token so that B can complete the action without logging in.
JWT Structure
A JWT consists of three parts: Header, Payload, and Signature. Each part is Base64‑url‑encoded and concatenated with periods.
Payload
The payload is a JSON object that describes the operation. It contains standard fields defined by the JWT specification and custom fields for the specific use case.
{
"iss":"John Wu JWT",
"iat":1441593502,
"exp":1441594722,
"aud":"www.example.com",
"sub":"[email protected]",
"from_user":"B",
"target_user":"A"
}Standard fields: iss: issuer of the JWT sub: subject (the user the JWT is intended for) aud: audience (the recipient) exp: expiration time (Unix timestamp) iat: issued‑at time
Base64‑url‑encoding this JSON yields the payload string:
eyJpc3MiOiJKb2huIFd1IEpXVCIsImlhdCI6MTQ0MTU5MzUwMiwiZXhwIjoxNDQxNTk0NzIyLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJqcm9ja2V0QGV4YW1wbGUuY29tIiwiZnJvbV91c2VyIjoiQiIsInRhcmdldF91c2VyIjoiQSJ9Header
The header describes the token type and the signing algorithm.
{
"typ":"JWT",
"alg":"HS256"
}Base64‑url‑encoding the header produces:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9Signature
The signature is created by applying the HS256 algorithm to the concatenated header and payload using a secret key (e.g., mystar). rSWamyAYwuHCo7IFAgd1oRpSP7nzL7BF5t7ItqpKViM The final JWT is the three Base64‑url‑encoded parts joined by periods:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJKb2huIFd1IEpXVCIsImlhdCI6MTQ0MTU5MzUwMiwiZXhwIjoxNDQxNTk0NzIyLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJqcm9ja2V0QGV4YW1wbGUuY29tIiwiZnJvbV91c2VyIjoiQiIsInRhcmdldF91c2VyIjoiQSJ9.rSWamyAYwuHCo7IFAgd1oRpSP7nzL7BF5t7ItqpKViMUsing this token, the email link becomes:
https://your.awesome-app.com/make-friend/?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJKb2huIFd1IEpXVCIsImlhdCI6MTQ0MTU5MzUwMiwiZXhwIjoxNDQxNTk0NzIyLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJqcm9ja2V0QGV4YW1wbGUuY29tIiwiZnJvbV91c2VyIjoiQiIsInRhcmdldF91c2VyIjoiQSJ9.rSWamyAYwuHCo7IFAgd1oRpSP7nzL7BF5t7ItqpKViMThis allows B to follow A securely without logging in.
Why the Signature Matters
The signature binds the header and payload together. Any modification to the payload changes the signature, and without the secret key an attacker cannot produce a valid signature. The server recomputes the signature and compares it; a mismatch indicates tampering, resulting in a 401 Unauthorized response.
Is the Information Exposed?
Base64 is reversible, so the payload is not encrypted. Therefore, sensitive data such as passwords must never be placed in the payload. Only non‑sensitive identifiers (e.g., user IDs) should be included.
Typical Use Cases
JWT is suitable for transmitting non‑sensitive data in web applications, such as friend‑request links, order confirmations, or single‑sign‑on tokens. It is also widely used to design authentication and authorization systems.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.