Understanding JSON Web Tokens (JWT): Structure, Usage, and Node.js Implementation

In many backend systems, operations that require user authentication cannot rely on repeatedly sending usernames and passwords; instead, a token mechanism is used to represent a logged‑in user’s identity and permissions.

JWT (JSON Web Token) is an open standard for securely transmitting claims between parties. A JWT consists of three Base64‑url encoded parts: header, payload, and signature, separated by periods.

The header typically contains two fields: alg: the algorithm used for signing (e.g., HS256, RS256). typ: token type, which is "JWT".

The payload carries the claims. The JWT specification defines seven standard claims: iss – issuer of the token. sub – subject (the user). aud – audience. exp – expiration time (Unix timestamp). nbf – not before; the token is invalid before this time. iat – issued‑at time (Unix timestamp). jti – unique identifier for the token.

The signature is created by signing the concatenated Base64‑encoded header and payload with the chosen algorithm, producing a string that ensures integrity.

When assembled, a JWT looks like

base64UrlEncode(header) . base64UrlEncode(payload) . signature

, with periods separating the three parts.

Typical usage flow :

User logs in with username and password.

Server generates a JWT and returns it to the client.

Client includes the JWT in the Authorization header of subsequent requests.

Server validates the token (signature, expiration, audience, etc.) before processing the request.

In practice, Node.js developers can create JWTs using the built‑in crypto module for signing and a library like moment for handling timestamps. Modern algorithms such as HS256 or RS256 are recommended over insecure ones like MD5 or SHA‑1.

Token verification involves decoding the Base64 header and payload, checking the claims (e.g., user ID matches, token not expired), and optionally recomputing the signature to detect tampering.

While the JWT specification defines a set of standard claims, developers are free to add custom fields—such as a role or permission flag—in the payload to support fine‑grained access control.

In summary, JWT provides a lightweight, language‑agnostic way to convey authentication and authorization data, and with proper algorithm choices and claim validation it forms a solid foundation for secure backend services.