What The Hack is JWT ?!

Tue Feb 27 2018

{.content-preview-title}

I was just writing on some of my coding adventures with some new awesome features I did and took advantage of JWT.

While I was writing that post as I assumed everyone knows what is JWT, I decided to write a quick note about it. Just in case 🙂

So in a brief JWT is a simple token that consists of 3 parts:

  • headers
  • payload
  • signature

example of a token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlR6b29rIEJhciBOb3kiLCJ3ZWJzaXRlIjoiaHR0cHM6Ly90em9va2IuY29tIn0.79-chMwGpBzWhU-4oodSYy9ZBbbpjLRXQdjXPAmPrgc

You can see it has a . as a separator between the parts.

headers {#headers}

contains the algorithm used and the type.

payload {#payload}

contains all the data you want to transfer in that token.

signature {#signature}

is the has of the 2 above and the secret string we used to create the JWT.

The JWT is not here to encrypt data, as it can easily get parsed and viewed by anyone. It is here to have the ability to transfer data and validate it got from a valid source.

Use Cases {#usecases}

More Killer Use Cases

  • You can create a JWT with userId, expiration and send it to your frontend app. Now The app know which userId are you, and on all backend api calls, it will attach the JWT and in the backend we can verify the token. If the token is valid and not expired we can easily serve the request with the secured data it requested.

  • Forgot password. You can send your users a link with JWT and expiration. So when he clicks that, the token will be sent to the backend and if its valid, we can let the users change his passwords.

  • Auto Login. Send your users an email or sms with JWT and expiration and you could autologin them with a simple link click.