How JSON Web Token (JWT) Work Under The Hood Explained With An Analogy

JWT is a standard for securely transmitting JSON data between parties, using digital signatures and encryption. But how does JWT authentication work under the hood? Let me break it down for you with an analogy of a secret club like you are 5.

Imagine you want to join a club that has a lot of fun activities and games. But the club is very exclusive and only allows members who have a special badge to enter. The badge is like a JWT, which is a way of proving that you are who you say you are.

To get a badge, you need to go to the club’s headquarters and show them some proof of your identity, like your name, age, and email. The club will then give you a badge that has your information written on it, along with a secret code that only the club knows. The badge is also stamped with an expiration date, which tells you how long the badge is valid for. The expiration date is like the exp claim in a JWT, which tells the server how long the token is valid for.

The badge you get from the club is called an access token, because it allows you to access the club’s activities and games. You can use the access token to enter any of the club’s branches, as long as the badge is not expired. The club has bouncers who look at your badge before letting you in. They also keep an eye on the club’s activities and games, and make sure that everyone is following the rules and having fun. If someone breaks the rules, causes trouble, or tries to sneak in without a badge, the bouncers will stop them and kick them out of the club.

Bouncers are like the servers or APIs that use JWT authentication to verify your identity and authorize your access. They also monitor the requests and responses, and make sure that everything is working properly. If someone sends a bad request, causes an error, or tries to use an invalid or expired token, the servers will reject them and send an appropriate response code. Sometimes, they may even log or report the incident if it is suspicious.

But what if your badge expires and you want to keep playing in the club? You don’t want to go back to the headquarters every time and show them your identity again, right? That would be too much hassle. Well, there is a solution for that. When you get your access token from the club, they will also give you another badge called a refresh token. The refresh token is like a backup badge that you can use to get a new access token without showing your identity again.

The refresh token is also a JWT, but it has a longer expiration date than the access token. It also has a different secret code than the access token, so it can’t be used to enter the club directly. Instead, you need to go to a special booth near the club’s entrance and show them your refresh token. They will then give you a new access token with a new expiration date & secret code. You can then use the new access token to enter the club as usual

The refresh token is useful because it saves you time & effort from having to authenticate yourself again. But it also has some risks. If someone steals your refresh token, they can use it to get new access tokens & pretend to be you. That’s why refresh tokens should be kept safe & secure. You also need to make sure that the refresh token has an expiration date too, so that it can’t be used forever.

Now let’s talk about user roles. User roles are like different kinds of membership in the club. Some people have more rights than others, depending on their role. For example, some people may have admin role, which means they can make new games for the club, or change or remove old ones. Some people may have moderator role, which means they can watch over other people’s behavior and tell any problems to the admins. Some people may have user role, which means they can only join in existing activities and games, but not make or change them.

User roles are like role claim in a JWT, which tells the server what kind of rights the user has. The server can use this claim to check if the user can do certain actions or see certain things. For example, if a user tries to make a new thing in the club using their access token, but their role claim is user, not admin, then the server will say no to their request and send an error message.

That’s it for this article. I hope you enjoyed learning about JWT authentication with me. If you have any questions or feedback, feel free to reply or DM me. Thanks for reading and happy coding!