JSON Web Tokens (JWTs) are compact, self-contained tokens used to securely transmit information between parties as JSON objects. JWTs contain a header, payload, and signature. The header typically specifies the token type and signing algorithm being used. The payload contains claims about the user such as username, ID, and expiration time. The signature ensures the token integrity. JWTs are signed using a secret or public/private key pair to authenticate and securely exchange information.

1. JSON Web Tokens
Akshaey Bhosale(Associate Information Security Analyst)
Indusface Pvt Ltd.

2. What is JSON Web Token?
 Compact and Self Contained way for securely transmitting information between parties as
JSON object.
 JWT are signed using secret HMAC algorithm or public/private key pair using RSA.
 JWT’s are base64 encoded.
 Used for Authentication and Information exchange.

3. What is JSON Web Token?
 Compact : Because of smaller size JWT’s can be sent through a URL, POST parameter or
inside an HTTP Headers. Smaller the size transmission is fast.
E.g.,eyJhbGciOBJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImpvaG4gZG9lIiwiaWF0IjoxNG
YyMjMyNzI2fQ.NnOv-wHAf59L2WMcDlfNsTThOUY1a0JMFNgJIP67mqU
 Self Contained : Payload contains all required information of user, avoiding the need to
query the database more than once.

4. JWT Structure
 JSON web token consist of three parts separated by dots(.):
 Header
 Payload
 Signature
 Therefore JWT typically looks like :
Header.Payload.Signature

5. JWT Structure
 Header
 Header consist of two parts, token type which is JWT and hashing algorithm being used.
 For example:
 This is base64 URL encode to form first part of JWT

6. JWT Structure
 Payload
 Second part is “payload” which contains the claims.
 Reserved
 Public
 Private

7. JWT Structure
 Reserved Claim :
These are set of predefined claims which are not mandatory by recommended.
e.g., iss(issuer), exp(expiration time), sub(subject), aud (audience),etc.
 Public Claim :
These are defined at will by those using JWT’s
e.g., User Name, Object Identifier, UUID.
{"_id":"5e54ca53ff6a2d1d8474f070","authkey":"3413160f-802e-4824-9b02-a58ec0e39a3c","iv":"7dd45104-e74a-4bb4-
aed0-063309489833","iat":1582615160,"exp":1583824820,"jti":"e6bb2ac9a2f04214b62a28135fb005ae"}
 Private Claim :
These claims are custom generated while transferring information between two parties.
e.g., Employee ID, Department Name.

8. JWT Structure
Payload
The payload is then base64 URL encoded to form the second part of JWT.

9. JWT Structure
 Signature
 To create signature we have to take encoded header, encoded payload, a secret and
algorithm specified in the header and sign that.
 Signature provides integrity to ensure that the message wasn’t change along the way.
 For example if you want to use HMAC SHA256 algorithm, the signature will be created in
following way.

10. Point To Remember
 If we add “Authorization : Bearer <token>” in headers, user will be allowed to access
protected resources.
 If token Sent with Authorization, CORS won’t be an issue.

11. Lets see it in practical way!!!!

12. References
 https://jwt.io
 http://self-issued.info/docs/draft-jones-json-web-token-01.html
 https://scotch.io/tutorials/the-anatomy-of-a-json-web-token

13. Any Queries?

14. Thank You