Understanding JSON Web Tokens (JWT): Structure, Creation, and Practical Use
This article explains the lightweight JWT specification, walks through its three-part structure (header, payload, signature), shows how to encode and sign a token with Node.js, and demonstrates using a JWT‑based link to perform a friend‑request operation without requiring the recipient to log in.
JSON Web Token (JWT) is a compact, URL‑safe specification that enables secure transmission of information between a client and a server.
Consider a scenario where user A follows user B; the system sends an email to B with a link like https://your.awesome-app.com/make-friend/?from_user=B&target_user=A . This approach requires B to be logged in, but a JWT can eliminate that requirement.
A JWT consists of three parts: a Header , a Payload , and a Signature .
Payload
The payload is a JSON object that carries both standard claims and custom data. Example payload:
{
"iss": "John Wu JWT",
"iat": 1441593502,
"exp": 1441594722,
"aud": "www.example.com",
"sub": "[email protected]",
"from_user": "B",
"target_user": "A"
}Standard fields (iss, sub, aud, exp, iat) are defined by the JWT spec, while custom fields (from_user, target_user) convey application‑specific information.
Base64URL‑encoding the payload yields:
eyJpc3MiOiJKb2huIFd1IEpXVCIsImlhdCI6MTQ0MTU5MzUwMiwiZXhwIjoxNDQxNTk0NzIyLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJqcm9ja2V0QGV4YW1wbGUuY29tIiwiZnJvbV91c2VyIjoiQiIsInRhcmdldF91c2VyIjoiQSJ9In Node.js you can generate this string with the base64url package:
var base64url = require('base64url')
var header = {"from_user":"B","target_user":"A"}
console.log(base64url(JSON.stringify(header)))
// Output: eyJpc3MiOiJKb2huIFd1IEpXVCIsImlhdCI6MTQ0MTU5MzUwMiwiZXhwIjoxNDQxNTk0NzIyLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJqcm9ja2V0QGV4YW1wbGUuY29tIiwiZnJvbV91c2VyIjoiQiIsInRhcmdldF91c2VyIjoiQSJ9Header
The header describes the token type and signing algorithm:
{
"typ": "JWT",
"alg": "HS256"
}Base64URL‑encoding the header produces:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9Signature
The signature is created by concatenating the encoded header and payload with a period, then applying the HS256 algorithm with a secret (e.g., mystar ).
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcm9tX3VzZXIiOiJCIiwidGFyZ2V0X3VzZXIiOiJBIn0Signing this string with the secret yields:
rSWamyAYwuHCo7IFAgd1oRpSP7nzL7BF5t7ItqpKViMThe complete JWT is the three parts joined by periods:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcm9tX3VzZXIiOiJCIiwidGFyZ2V0X3VzZXIiOiJBIn0.rSWamyAYwuHCo7IFAgd1oRpSP7nzL7BF5t7ItqpKViMUsing this token, the email link can be simplified to:
https://your.awesome-app.com/make-friend/?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcm9tX3VzZXIiOiJCIiwidGFyZ2V0X3VzZXIiOiJBIn0.rSWamyAYwuHCo7IFAgd1oRpSP7nzL7BF5t7ItqpKViMThis allows B to complete the friend request without logging in.
The signature ensures integrity: any modification to the header or payload changes the signature, and without the secret the server cannot produce a matching signature, so tampered tokens are rejected with HTTP 401.
Because Base64 is reversible, sensitive data (e.g., passwords) should never be placed in the payload; only non‑sensitive identifiers like user IDs are appropriate.
JWTs are suitable for transmitting non‑sensitive information, implementing authentication and authorization, and enabling single‑sign‑on (SSO) in web applications.
Architect's Guide
Dedicated to sharing programmer-architect skills—Java backend, system, microservice, and distributed architectures—to help you become a senior architect.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.