JSON Web Token (JWT)
is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
- A server issues a token to a client after verifying its credentials (ex: username and password).
- The client then uses the token to access the protected resources on the server.
- Is composed of three parts: a header, a payload, and a signature.
- Header: contains metadata. Algorithm used to sign the token.
- Payload: contains the claims and the data.
- Signature: used to verify the integrity and authenticity of the token
- The server verifies the token by:
- checking its signature, validating the claims (identity, roles, permissions, expiration time)
- The token is not necessary to be stored (it is signed).