#JWT #jsonwebtokens #authentication

What is JWT and how it works?

JWT (JSON Web Token) is a compact, URL-safe token used to securely transmit information between a client and a server.

It is most commonly for authentication in modern web apps.

A JWT has three parts separated by dots: xxxxx[dot]yyyyy[dot]zzzzz

1. 𝐇𝐞𝐚𝐝𝐞𝐫: Contains the algorithm used for signing the JWT (e.g., HMAC SHA256 or RSA) and the token type (JWT). 2. 𝐏𝐚𝐲𝐥𝐨𝐚𝐝: Contains the “claims”, statements about an entity (typically, the user) and additional data. 3. 𝐒𝐢𝐠𝐧𝐚𝐭𝐮𝐫𝐞: Used to verify that the sender and ensure the token hasn’t been tampered with. Generated by taking the encoded header, the encoded payload, a secret, and the algorithm specified in the header, and signing it.

How does it work? 1. The user logs in with credentials. 2. The server validates credentials and generates a signed JWT. 3. The server sends the JWT back to the client. 4. The client stores the JWT token (typically in localStorage or cookies). 5. For future requests, the client includes the JWT in the Authorization header.

Key Benefits: - Statelessness: No need to store session information on the server, making APIs more scalable. - Security: Digitally signed to prevent tampering. - Compact: Small size allows for efficient transmission.

What’s the difference between Session-based authentication and JWTs?

Here’s a simple breakdown for both approaches:

Session-Based Authentication

In this approach, you store the session information in a database or session store and hand over a session ID to the user.

Think of… pic.twitter.com/Y1KG74A5c6

— Alex Xu (@alexxubyte) May 14, 2024

#JWT #JSONWebTokens #Authentication