Understanding JSON Web Tokens (JWT) and Their Use in Authentication

JSON Web Token (JWT) is a lightweight specification that enables secure information exchange between users and servers.

Consider a scenario where user A follows user B; the system sends an email to B with a link that can add A as a friend. Using a plain URL requires B to be logged in, but JWT allows the operation without prior login.

https://your.awesome-app.com/make-friend/?from_user=B&target_user=A

JWT Composition

A JWT is a string composed of three parts: Header , Payload , and Signature .

Payload

The payload is a JSON object that carries claims such as issuer (iss), issued‑at (iat), expiration (exp), audience (aud), subject (sub), and custom fields like from_user and target_user:

{
    "iss": "John Wu JWT",
    "iat": 1441593502,
    "exp": 1441594722,
    "aud": "www.example.com",
    "sub": "[email protected]",
    "from_user": "B",
    "target_user": "A"
}

The first five fields are defined by the JWT standard.

Base64‑url encoding the JSON payload yields the JWT payload string, e.g.:

eyJpc3MiOiJKb2huIFd1IEpXVCIsImlhdCI6MTQ0MTU5MzUwMiwiZXhwIjoxNDQxNTk0NzIyLCJhdW...

In Node.js you can use the base64url package to obtain this string:

var base64url = require('base64url')
var header = {"from_user": "B", "target_user": "A"}
console.log(base64url(JSON.stringify(header)))
// output: eyJpc3MiOiJKb2huIFd1IEpXVCIsImlhdCI6MTQ0MTU5MzUwMiwiZXhwIjoxNDQxNTk0NzIyLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJqcm9ja2V0QGV4YW1wbGUuY29tIiwiZnJvbV91c2VyIjoiQiIsInRhcmdldF91c2VyIjoiQSJ9

Header

The header describes the token type and signing algorithm:

{
  "typ": "JWT",
  "alg": "HS256"
}

Base64‑url encoding the header produces the JWT header string:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9

Signature

The signature is created by concatenating the encoded header and payload with a period, then applying the HS256 algorithm with a secret (e.g., mystar), resulting in a string such as: rSWamyAYwuHCo7IFAgd1oRpSP7nzL7BF5t7ItqpKViM The complete JWT looks like:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcm9tX3VzZXIiOiJCIiwidGFyZ2V0X3VzZXIiOiJBIn0

Using this token, the email link can be changed to:

https://your.awesome-app.com/make-friend/?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJm...

Purpose of the Signature

The signature ensures that any modification to the header or payload will produce a different signature, and without the secret key an attacker cannot forge a valid signature.

Information Exposure

Since Base64 is reversible, the payload should never contain sensitive data such as passwords; only non‑sensitive identifiers (e.g., user ID) should be placed in the token.

JWT Use Cases

JWTs are suitable for transmitting non‑sensitive information in web applications, such as friend‑addition actions, order processing, etc.

Eight‑Step User Authentication Flow

User submits username and password via HTTPS POST.

Server validates credentials against the database.

On success, server creates a JWT with the user ID in the payload.

JWT is Base64‑url encoded, signed, and sent back as an HttpOnly cookie.

For subsequent requests, the browser includes the JWT cookie.

Server verifies the signature, checks expiration, and optionally validates the audience.

Server decodes the payload to obtain the user ID.

Server loads the user record and processes the request.

Difference from Session Storage

Session storage consumes server memory and may require distributed caches, whereas JWT stores state on the client, reducing server memory pressure.

Single Sign‑On (SSO)

Because JWTs are client‑side, setting the cookie domain to a top‑level domain (e.g., .taobao.com) allows all subdomains to receive the token without synchronizing session stores:

Set-Cookie: jwt=lll.zzz.xxx; HttpOnly; max-age=980000; domain=.taobao.com

Original source: https://u.nu/2k4wk