What is JWT Tokens

First, take a look at this JWT token tools

Simple put, a JWT is a string with following format:

header.payload.signature

JWT Format

Header Sample

{
  "typ": "JWT",
  "alg": "HS256"
}

type is off course JWT, and hashing algorithm is use SHA256 to encode the string

Payload

The payload component is the data that stores in the JWT. </br> There are some optional items in payload, such as “iss”, “sub” and “exp”

{
  "userId": "1101001",
  "name": "Allen",
  "exp": "2019/01/10"
}

Signature

The JWT signature would be represented by this pseudocode:

data = base64urlEncode( header ) + '.' + base64urlEncode( payload )
hashedData = hash( data, secret )
signature = base64urlEncode( hashedData )

How does JWT protect data

Most important, JWT is not a way to encrypt the data, it is a way to prove the data is created from a authentic source, so
the data can be easily decoded and read. JWT do not guarantee any security for sensitive data, Don’t save the sensitive data in JWT