# JSON Web Tokens ## **Structure of JWT** #### A JWT typically looks like `xxxxx.yyyyy.zzzzz` and is divided into: * **Header**: Contains token type and the signing algorithm being used. * **Payload**: Contains the claims which are statements about the entity (typically, the user) and additional data. * **Signature**: To prevent tampering, the header and payload are combined and encrypted. *** ## **Setup** #### Before creating and verifying JWTs, you'll need to install required libraries. Here's how you can do it for a Node.js project: ```bash npm install jsonwebtoken ``` *** ## **Creating a JWT** ```javascript const jwt = require('jsonwebtoken'); // Sample payload const payload = { userId: 12345, role: "admin" }; // Signing the token const secretKey = "yourSuperSecretKey"; const token = jwt.sign(payload, secretKey, { expiresIn: '1h' }); console.log(token); ``` *** ## **Verifying a JWT** ```javascript const jwt = require('jsonwebtoken'); // Assuming token is received from a client or some source const receivedToken = "received_token_here"; // Verifying the token const secretKey = "yourSuperSecretKey"; try { const decoded = jwt.verify(receivedToken, secretKey); console.log(decoded); } catch (error) { console.error("Invalid token:", error.message); } ``` *** ## **Using JWT for Authentication** A common use case for JWT is authentication. Upon user login, a token is generated and sent to the client. For subsequent requests, the client sends this token back, and the server verifies it. #### **Generating Token on Login**: ```javascript app.post('/login', (req, res) => { // Validate user credentials (e.g., against a database) // ... // If valid, generate JWT const token = jwt.sign({ userId: user.id }, secretKey, { expiresIn: '1h' }); res.json({ token }); }); ``` #### **Verifying Token for Protected Routes**: ```javascript app.get('/protected', (req, res) => { const token = req.headers.authorization; try { const user = jwt.verify(token, secretKey); // Continue processing... } catch { res.status(401).send("Unauthorized"); } }); ``` *** ## **Best Practices** * **Keep it Secret, Keep it Safe**: Never expose your secret key. Use environment variables or secret management tools. * **Short Lifespan**: Use short-lived JWTs to reduce potential misuse. * **Use HTTPS**: Always transfer JWTs over a secure layer to prevent Man-In-The-Middle attacks. * **Handle Expiry Gracefully**: Implement mechanisms on the client side to handle token expiry and re-authentication. *** ## **Libraries for Other Languages** #### JWT is supported in many languages. Some popular libraries include: * Python: `PyJWT` * Ruby: `ruby-jwt` * Java: `java-jwt` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://smadi0x86-blog.gitbook.io/smadi0x86-playground/software-engineering/json-web-tokens.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.