JWT - Token Authentication

Suppose we request our API and it should return data. Tokens are a good thing to use with an API because they are small enough to send with every single request.

Generally, "JWT" stands for JSON Web Token, which is a standard for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and authorization purposes in web applications.

The JSON web tokens are an industry standard for tokens suggested in RFC 7519. They are self-contained and they can contain credentials, claims, and other information.

JWT Structure

If we take a look at the structure of the JWT, it basically a long string that is separated into three parts. Each part is separated by a period.

The first part is the header of the token. It contains the algorithm and the type of token that it is. The algorithm is used to encrypt the signature in the third part of the token and the type of JWT.

The second part is the payload. The payload contains information about the claims and credentials. So we can have things like the name identifier, the username, the user's roles, and any other claims that the user has about themselves. When we say claims, we mean that a user is claiming to be something. In this case, this user is claiming to be "Hanrik_Losser" and we also have two timestamps inside. This means that the token can not be used before a specific date and time.

The third part is where the signature is contained and encrypted. All the token signature is encrypted by the server itself, using a secure key. The only part of the token that is encrypted is the signature. Everything else is very easily obtained by decoding the token.

Token Authentication

Users log in and send their username and password up to the server. The server will validate their credentials and return a JSON web token that the client will store locally on their machine. Typically, we often use browser storage to hold onto the token so that we can then send the JSON web token with every single request. Therefore, any time that we want to access something that's protected by authentication on the server. We send up the JWT token with that request.

Now what we do with this token is add an authentication header to the request and then the server will take a look at the token and verify that the token is valid. The server that signed the token will have access to the private key that's stored on the server, and the server is able to verify that the token is valid without needing to make a call to the database. The server should answer that token is okay and sends back the response.

Benefits of JWT

1. No session to manage - JWTs are self-contained tokens.
2. Portable - A single token can be used with multiple backends.
3. No Cookies required - mobile friendly. Mobile phones do not deal with cookies, whereas they can deal with adjacent web tokens.
4. Performance - Once a token is issued, there is no need to make a database request to verify a user's authentication.

Useful Links

1. https://jwt.ms/: This website allows you to paste a JWT and decode its contents, providing information about the token's claims, such as the issuer, subject, expiration time, and more. It helps developers and administrators verify the correctness of JWTs and investigate any potential issues.
2. https://jwt.oi/: This website includes a JWT debugger that allows you to decode, verify, and debug JWTs. It provides a collection of JWT libraries for various programming languages, making it easier to work with JWTs in your preferred development environment.