← Back to Learn

Introduction to JWT - What is a JSON Web Token?

What is a JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. For comprehensive cybersecurity training, explore INE courses.

JWT Structure

A JWT consists of three parts separated by dots (.), which are:

  • Header - Contains metadata about the token
  • Payload - Contains the claims (data)
  • Signature - Used to verify the token hasn't been tampered with

Example JWT:

JWT Token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Use Cases

Authentication

Once a user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.

Information Exchange

JWTs are a good way of securely transmitting information between parties. Because JWTs can be signed, you can be sure the senders are who they say they are.

Common Applications

  • Single Sign-On (SSO): Authenticate once, access multiple services
  • API Authentication: Stateless authentication for REST APIs
  • Microservices: Service-to-service communication
  • Mobile Apps: Offline-capable authentication
  • OAuth 2.0: Standard token format for OAuth flows
  • Passwordless Auth: Magic links and one-time codes
→ Learn more about JWT use cases

Advantages

  • Stateless: No need to store session data on the server
  • Scalable: Works well in distributed systems
  • Self-contained: Contains all necessary information
  • Flexible: Can be used across different domains

Security Considerations

Important: JWTs are signed, not encrypted by default.

This means anyone can read the contents of a JWT. Never store sensitive information like passwords or credit card numbers in a JWT payload. If you need to encrypt the payload, use JWE (JSON Web Encryption).

🎓

INE - Cybersecurity Training & Certification

Training

Professional cybersecurity training and certification courses. Master ethical hacking, penetration testing, and security analysis with hands-on labs.

Learn More

Affiliate Link

Next: JWT Structure →

Related Content

Share: