Json Web Tokens
What is JWT Tokens
First, take a look at this JWT token tools
Simple put, a JWT is a string with following format:
header.payload.signature
Header Sample
{
"typ": "JWT",
"alg": "HS256"
}
type is off course JWT, and hashing algorithm is use SHA256 to encode the string
Payload
The payload component is the data that stores in the JWT. </br> There are some optional items in payload, such as “iss”, “sub” and “exp”
{
"userId": "1101001",
"name": "Allen",
"exp": "2019/01/10"
}
Signature
The JWT signature would be represented by this pseudocode:
data = base64urlEncode( header ) + '.' + base64urlEncode( payload )
hashedData = hash( data, secret )
signature = base64urlEncode( hashedData )
How does JWT protect data
Most important, JWT is not a way to encrypt the data, it is a way to prove the data is created from a authentic source, so
the data can be easily decoded and read.
JWT do not guarantee any security for sensitive data, Don’t save the sensitive data in JWT