JSON Web Token (JWT)

A JWT is a set of JSON claims that are signed, encrypted, or both, and are encoded into a web safe form. This set of claims might or might not include some well-known claims that are defined by the RFC.

The methods of encrypting and signing and the support for key exchange and algorithms are defined in RFCs 7515, 7516, 7517, and 7518. These RFCs cover signing, encryption, key sets, and algorithms. RFC 7519 covers JWT.

A JWT contains three Base64 encoded strings that are separated by dots (“.”).

For a signed JWT, these parts are:

• JWT Header - JSON
• JWT claims - JSON
• Signature - Binary data

All of these parts are Base64 URL encoded. An example JWT is shown in the following example:

eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJ5b3UiLCJpc3MiOiJtZSIsInN1YiI6InRvZ
GF5IiwiZGF5IjoibW9uZGF5In0.6f14Ub6WuEuMMSa_6hkXfj5kpVAI9tkmP5vcbX1
qH3Y

This JWT is signed by using the algorithm HS256 and the shared key of “secret”.

You can use http://jwt.io to create and validate simple signed JWTs.