Unlocking JWT: How JSON Web Tokens Power Modern Authentication
This article explains what JWT (JSON Web Token) is, its compact self‑contained structure, how it replaces traditional session‑cookie authentication, and discusses its benefits, limitations, and practical usage in stateless web security.
Introduction
In this article we explore what JWT (JSON Web Token) is and how it can be used to implement distributed session management.
What is JWT
JWT stands for JSON Web Token. It is a compact, self‑contained token that securely transmits information as a JSON object between parties. The token can be signed using symmetric (e.g., HS256) or asymmetric algorithms to prevent tampering.
1. Data is JSON format 2. Used for web applications 3. It is a token (a credential)
“Compact” means the token is small enough to be sent via URL, POST parameters, or HTTP headers. “Self‑contained” means the token can carry user‑defined claims such as name or nickname, avoiding repeated database queries.
JWT Structure
JWT consists of three parts:
Header
Payload
Signature
Header.Payload.SignatureHeader
The header describes the token’s metadata, typically a JSON object like:
{
"alg": "HS256",
"typ": "JWT"
}The alg field indicates the signing algorithm (default HS256) and typ denotes the token type.
Payload
The payload carries the actual claims. JWT defines seven standard fields, but custom fields can be added (e.g., name, nickname). The payload is also Base64‑encoded and not encrypted by default, so sensitive data should never be placed inside.
Note: The payload is Base64‑encoded and can be decoded by anyone; do not store confidential information.
Signature
The signature protects the header and payload from tampering. It is generated by applying the algorithm specified in the header to the Base64‑encoded header and payload, using a secret known only to the server:
HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret)After computing the signature, the three parts are concatenated with dots to form the final token.
How JWT Works
When a user logs in successfully, the server returns a JWT. The client stores the token (e.g., in a cookie or local storage) and includes it in subsequent requests, typically in the Authorization: Bearer <token> header.
JWT vs. Session‑Cookie
In the traditional Session‑Cookie model the user’s state is stored on the server; in the JWT model the state lives on the client, and the server only decodes the token to retrieve the claims.
Advantages of JWT
Token stored on client, freeing server resources.
Stateless and easily scalable across load‑balanced servers.
Signed data ensures integrity; however, payload is readable.
Placing the token in request headers mitigates CSRF attacks.
Drawbacks of JWT
Cannot revoke a token before its expiration; a compromised token remains valid until it expires.
Because the token contains user claims, updates to user data are not reflected until a new token is issued, leading to possible data inconsistency.
Conclusion
Choose the authentication method that fits your business: traditional session‑cookie for scenarios requiring server‑side state, or JWT for stateless, scalable services. The author still recommends the classic session approach for most future use cases.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Java Backend Technology
Focus on Java-related technologies: SSM, Spring ecosystem, microservices, MySQL, MyCat, clustering, distributed systems, middleware, Linux, networking, multithreading. Occasionally cover DevOps tools like Jenkins, Nexus, Docker, and ELK. Also share technical insights from time to time, committed to Java full-stack development!
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.