Page cover image

JSON Web Tokens

JSON Web Tokens (JWT) can be encoded into a URL-friendly string format, which can be signed for authentication and/or encrypted for protection.

Structure of JWT

A JWT typically looks like xxxxx.yyyyy.zzzzz and is divided into:

  • Header: Contains token type and the signing algorithm being used.

  • Payload: Contains the claims which are statements about the entity (typically, the user) and additional data.

  • Signature: To prevent tampering, the header and payload are combined and encrypted.


Setup

Before creating and verifying JWTs, you'll need to install required libraries. Here's how you can do it for a Node.js project:

npm install jsonwebtoken

Creating a JWT

const jwt = require('jsonwebtoken');

// Sample payload
const payload = {
    userId: 12345,
    role: "admin"
};

// Signing the token
const secretKey = "yourSuperSecretKey";
const token = jwt.sign(payload, secretKey, { expiresIn: '1h' });

console.log(token);

Verifying a JWT

const jwt = require('jsonwebtoken');

// Assuming token is received from a client or some source
const receivedToken = "received_token_here";

// Verifying the token
const secretKey = "yourSuperSecretKey";

try {
    const decoded = jwt.verify(receivedToken, secretKey);
    console.log(decoded);
} catch (error) {
    console.error("Invalid token:", error.message);
}

Using JWT for Authentication

A common use case for JWT is authentication. Upon user login, a token is generated and sent to the client. For subsequent requests, the client sends this token back, and the server verifies it.

Generating Token on Login:

app.post('/login', (req, res) => {
    // Validate user credentials (e.g., against a database)
    // ...

    // If valid, generate JWT
    const token = jwt.sign({ userId: user.id }, secretKey, { expiresIn: '1h' });

    res.json({ token });
});

Verifying Token for Protected Routes:

app.get('/protected', (req, res) => {
    const token = req.headers.authorization;

    try {
        const user = jwt.verify(token, secretKey);
        // Continue processing...
    } catch {
        res.status(401).send("Unauthorized");
    }
});

Best Practices

  • Keep it Secret, Keep it Safe: Never expose your secret key. Use environment variables or secret management tools.

  • Short Lifespan: Use short-lived JWTs to reduce potential misuse.

  • Use HTTPS: Always transfer JWTs over a secure layer to prevent Man-In-The-Middle attacks.

  • Handle Expiry Gracefully: Implement mechanisms on the client side to handle token expiry and re-authentication.


Libraries for Other Languages

  • Python: PyJWT

  • Ruby: ruby-jwt

  • Java: java-jwt

Last updated