interview

home / developersection / interviews / what is a jwt?

Ask Question
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

2 Answers

Anubhav Kumar

Anubhav Kumar

09-Jun-2025

A JWT (JSON Web Token) is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. It's commonly used for authentication and authorization in web applications and APIs.

Structure of a JWT

A JWT has three parts, separated by dots (.):

xxxxx.yyyyy.zzzzz
|     |     |
|     |     └── Signature (for integrity)
|     └── Payload (the claims)
└── Header (metadata)

1. Header

Typically contains:

{
  "alg": "HS256",  // Algorithm used to sign the token
  "typ": "JWT"
}

2. Payload (Claims)

Contains data or claims about the user or subject:

{
  "sub": "1234567890",        // Subject (e.g., user ID)
  "name": "Anna Hajare",
  "iat": 1717938123,          // Issued at (UNIX timestamp)
  "exp": 1717941723           // Expiration time (optional)
}

You can include custom claims too, but avoid putting sensitive data here—it's not encrypted by default.

3. Signature

Used to verify that the token was not tampered with. Created like:

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

Or with a private key if using asymmetric encryption (RS256, etc.).

Common Uses of JWT

  • Authentication: After login, the server generates a JWT and sends it to the client. The client stores and sends it with every request.
  • Authorization: The server reads the JWT to determine what the user is allowed to do.
  • Stateless APIs: No session storage required—everything is in the token.

Important Notes

  • JWTs are signed, not encrypted (unless using JWE). Anyone can read the payload if they have the token.
  • Never put passwords or private info in a JWT unless encrypted.
  • Use short expiration times and refresh tokens for better security.

 

Read Also

ICSM Computer

ICSM Computer

08-Jun-2025

A JWT (JSON Web Token) is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. It is widely used in authentication and authorization in modern web APIs.

Structure of a JWT

A JWT has three parts, separated by dots (.):

<Header>.<Payload>.<Signature>

Example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJzdWIiOiIxMjM0IiwibmFtZSI6IkFubmEiLCJpYXQiOjE1MTYyMzkwMjJ9
.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1. Header

Specifies the type of token and the signing algorithm.

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload (Claims)

Contains the actual data (claims) like user ID, name, expiration time, etc.

Example:

{
  "sub": "1234567890",
  "name": "Anna",
  "role": "Admin",
  "iat": 1516239022,
  "exp": 1516242622
}

Common standard claims:

  • iss – Issuer
  • sub – Subject (user ID)
  • aud – Audience
  • exp – Expiration time
  • iat – Issued at

The payload is not encrypted — it's just Base64 encoded, so never put sensitive data in it.

3. Signature

Used to verify the token wasn't tampered with. It's created like this:

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

The server can verify the JWT using the secret (or a public key, if using RSA).

Why Use JWTs?

Benefit Description
Stateless No server-side session needed
Compact Easily stored in headers, cookies, or localStorage
Self-contained Contains all needed user claims
Cross-domain support Easy for SPAs, mobile apps, and APIs
Verifiable Tamper-proof due to signature

Common Use Cases

  • Authentication
    • After login, the server issues a JWT.
    • Client includes it in headers on each request:
Authorization: Bearer <token>
  • Authorization
    • APIs decode the JWT and check roles/permissions in the payload.
  • Information exchange
    • Securely pass info between systems with assurance it's not altered.

JWT Best Practices

  • Use HTTPS to protect tokens in transit.
  • Set short expiry (exp) times.
  • Use strong secrets or keys.
  • Don't store sensitive info (like passwords).
  • Use refresh tokens to renew expired tokens.
  • Revoke JWTs via blacklisting (since they are stateless).
MindStick Training
MindStick Training

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy