JWT Overview - bcgov/common-service-showcase GitHub Wiki

JSON Web Tokens

JSON Web Token (JWT) is a standards-based method for representing claims securely between two parties. JWT is described in RFC 7519. JWTs can be used as OAuth 2.0 Bearer Tokens to encode all relevant parts of an access token within the token itself, as described in RFC 7523. This allows the access token to be verified without the requirements for a database lookup, which can be used to improve service scalability.

A JWT can be digitally signed and/or encrypted. If digitally signed, then the information held in the JWT can be verified and trusted to have come from a certain entity. If digitally encrypted, the information within the JWT is kept secret. JWTs can declare the "scope" of the access token, which is a list of things that the holder of the token (the user) is allowed to do.

The JWT should not contain any sensitive information. JWTs are digitally signed using the JSON Web Signature (JWS). JSON Web Encryption (JWE) is used to encrypt a JWT which provides a way to hide the information in the JWT from third parties.

JWTs consist of three different URL-safe parts separated by a period ('.') character. The first part is the header, which denotes the algorithm used for the rest of the token such as HS256 or RS256. The second part is the payload, which will contain the user details and content. The final part is the signature, which can either be a symmetric or asymmetric key. This signature checks the concatenation of both the Header and Payload of the JWT. For more details on JWT, such as debugging and expecting JWTs, as well as creating and testing your own tokens, visit the JWT Website.