Your Quick Guide to JWT
Your Quick Guide to JWT
Quick Guide
to
JWT
Aram Tchekrekjian @AramT87
What is JWT
It is a standard format to
transmit data between
systems in a secure way
through JSON objects
@AramT87
Why Use JWT?
Authentication
Verifies user identity
Authorization
Grants access to protected
resources according to role
(in claims)
Stateless
No need to store session
data on the server.
@AramT87
JWT Security Model
Header
Contains metadata (algorithm &
token type).
Payload
Holds user data (claims).
Signature
Ensures token integrity and
authenticity
@AramT87
JWT Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJuYW1laWQiOiIxIiwibmJmIjoxNzQxMzI3NjEyL
CJleHAiOjE3NDEzMjg1MTAsImlhdCI6MTc0MTMy
NzYxMiwiaXNzIjoiaHR0cDovL2NvZGluZ3NvbmF
0YS5jb20iLCJhdWQiOiJodHRwOi8vY29kaW5nc2
9uYXRhLmNvbSJ9.
MLzdiWUCEblnTH5YKRpqMmtQ4ptxeMM9LRljE
a80UCY
@AramT87
JWT Example
Breakdown
Header
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload
eyJuYW1laWQiOiIxIiwibmJmIjoxNzQxMzI3NjEyLCJleHAiO
jE3NDEzMjg1MTAsImlhdCI6MTc0MTMyNzYxMiwiaXNzIj
oiaHR0cDovL2NvZGluZ3NvbmF0YS5jb20iLCJhdWQiOiJo
dHRwOi8vY29kaW5nc29uYXRhLmNvbSJ9
Signature
MLzdiWUCEblnTH5YKRpqMmtQ4ptxeMM9LRljEa80UCY
@AramT87
JWT Claims
@AramT87
JWT Claims
iss: Issuer
sub: Subject
aud: Audience
exp: Expiry time (in epoch)
nbf: Not before time
iat: Issued at time (in epoch)
jti: JWT unique Identifier
@AramT87
Decoding JWT
@AramT87
Decoding JWT in JWT.io
@AramT87
Authentication with JWT
@AramT87
JWT Best Practices
@AramT87
JWT Best Practices
Aram Tchekrekjian
AramT87