What is a JWT (JSON Web Token) and how it works?
JWT (JSON Web Token) is a standardized format for creating access tokens that assert claims between two parties. They are compact, URL-safe, and consist of three main parts: the header, payload, and signature.
-
Header: The header typically contains two parts—the algorithm used for signing the token (like HMAC, SHA256 or RSA) and the token type, which is always “JWT”.
{ "alg": "HS256", "typ": "JWT" } -
Payload: The payload contains the claims, which are statements about an entity (usually the user). Claims include standard fields like
sub(subject),exp(expiration), and custom fields likerole.{ "sub": "1234567890", "name": "John Doe", "role": "admin", "iat": 1516239022 } - Signature: The signature is created by signing the encoded header and payload with a secret key using the specified algorithm. This signature ensures the token's integrity.
The typical JWT workflow involves several steps:
- User logs in: Upon successful authentication, the server generates a JWT containing user information and sends it to the client.
- Client stores the token: The client (e.g., a web browser) stores the token, typically in localStorage or a cookie.
- Token included in requests: For subsequent requests to protected routes, the client sends the JWT in the HTTP authorization header.
- Server validates the token: The server verifies the token's signature and checks its claims, such as expiration. If valid, the server processes the request.
Benefits of using JWT:
- Stateless Authentication: JWTs carry all necessary information within the token, removing the need for server-side session storage. This approach leads to scalability and easier management of user sessions.
- Enhanced Security With their signature, JWTs prevent tampering and ensure the authenticity of the token’s origin and integrity.
- Cross-Domain Authentication: Their compact format makes JWTs suitable for microservices architecture, enabling seamless communication between different domains.
JWTs are a cornerstone of secure web authentication, providing a simple yet effective way to transmit information securely. By understanding their structure and implementing them correctly, developers can enhance both the security and functionality of their web applications. As you delve deeper into web development, leveraging JWTs will be essential in constructing reliable and secure systems.
How To Create a Private Key?
RS Algorithms
You can generate an RSA private key using openssl:
openssl genpkey -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:2048Copy the content of the private.pem file to the Private Key input on the page to encode a JWT with any of the RSA algorithms.
You can also extract the public key out of the private key to use it decoding:
openssl rsa -in private.pem -pubout -out public.pemCopy the content of the public.pem to the Public Key input on the page to decode the JWT token.
ES256 Algorithm
ES256 is an algorithm used for signing and verifying JWTs (JSON Web Tokens) using Elliptic Curve Digital Signature Algorithm (ECDSA).
- E = Elliptic Curve Digital Signature Algorithm
- S256 = SHA-256 Algorithm
- Based on the P-256 (aka secp256r1) elliptic curve
You can generate an ES256 private key using openssl:
openssl ecparam -name prime256v1 -genkey -noout -out private.pemConvert to PKCS#8:
openssl pkcs8 -topk8 -in private.pem -out private-pkcs8.pem -nocryptCopy the content of the private-pkcs8.pem file to **the Private Key input** on the page to encode a JWT with the ES256 algorithm.
You can also extract the public key out of the private key to use it decoding:
openssl ec -in private-pkcs8.pem -pubout -out public.pemCopy the content of the public.pem to the Public Key input on the page to decode the JWT token.
ES384 Algorithm
ES384 is an algorithm used for signing and verifying JWTs (JSON Web Tokens) using Elliptic Curve Digital Signature Algorithm (ECDSA).
- E = Elliptic Curve Digital Signature Algorithm
- S384 = SHA-384 Algorithm
- Based on the P-384 (aka secp384r1) elliptic curve
You can generate an ES384 private key using openssl:
openssl ecparam -name secp384r1 -genkey -noout -out private.pemConvert to PKCS#8:
openssl pkcs8 -topk8 -in private.pem -out private-pkcs8.pem -nocryptCopy the content of the private-pkcs8.pem file to the Private Key input on the page to encode a JWT with the ES384 algorithm.
You can also extract the public key out of the private key to use it decoding:
openssl ec -in private-pkcs8.pem -pubout -out public.pemCopy the content of the public.pem to the Public Key input on the page to decode the JWT token.
ES512 Algorithm
ES512 is an algorithm used for signing and verifying JWTs (JSON Web Tokens) using Elliptic Curve Digital Signature Algorithm (ECDSA).
- E = Elliptic Curve Digital Signature Algorithm
- S512 = SHA-512 Algorithm
- Based on the P-521 (aka secp521r1) elliptic curve
You can generate an ES512 private key using openssl:
openssl ecparam -name secp521r1 -genkey -noout -out private.pemConvert to PKCS#8:
openssl pkcs8 -topk8 -in private.pem -out private-pkcs8.pem -nocryptCopy the content of the private-pkcs8.pem file to the Private Key input on the page to encode a JWT with the ES512 algorithm.
You can also extract the public key out of the private key to use it decoding:
openssl ec -in private-pkcs8.pem -pubout -out public.pemCopy the content of the public.pem to the Public Key input on the page to decode the JWT token.