search
Page cover

JSON Web Tokens

JSON Web Tokens (JWT) can be encoded into a URL-friendly string format, which can be signed for authentication and/or encrypted for protection.

hashtag
Structure of JWT

hashtag
A JWT typically looks like xxxxx.yyyyy.zzzzz and is divided into:

  • Header: Contains token type and the signing algorithm being used.

  • Payload: Contains the claims which are statements about the entity (typically, the user) and additional data.

  • Signature: To prevent tampering, the header and payload are combined and encrypted.

hashtag
Setup

hashtag
Before creating and verifying JWTs, you'll need to install required libraries. Here's how you can do it for a Node.js project:

npm install jsonwebtoken

hashtag
Creating a JWT

const jwt = require('jsonwebtoken');

// Sample payload
const payload = {
    userId: 12345,
    role: "admin"
};

// Signing the token
const secretKey = "yourSuperSecretKey";
const token = jwt.sign(payload, secretKey, { expiresIn: '1h' });

console.log(token);

hashtag
Verifying a JWT

hashtag
Using JWT for Authentication

A common use case for JWT is authentication. Upon user login, a token is generated and sent to the client. For subsequent requests, the client sends this token back, and the server verifies it.

hashtag
Generating Token on Login:

hashtag
Verifying Token for Protected Routes:

hashtag
Best Practices

  • Keep it Secret, Keep it Safe: Never expose your secret key. Use environment variables or secret management tools.

  • Short Lifespan: Use short-lived JWTs to reduce potential misuse.

  • Use HTTPS: Always transfer JWTs over a secure layer to prevent Man-In-The-Middle attacks.

  • Handle Expiry Gracefully: Implement mechanisms on the client side to handle token expiry and re-authentication.

hashtag
Libraries for Other Languages

hashtag
JWT is supported in many languages. Some popular libraries include:

  • Python: PyJWT

  • Ruby: ruby-jwt

  • Java: java-jwt

PreviousSystem DesignNextC Language

Last updated