JWT

A JSON Web Token (JWT) is a compact, URL-safe token format that carries a signed JSON payload. JWTs convey identity and authorization claims between services in a way the recipient can verify cryptographically, without calling back to a central database.

How it works

A JWT is three Base64URL-encoded sections separated by dots: header.payload.signature. The header declares the signing algorithm. The payload contains claims. The signature is computed over the encoded header and payload using a secret (HMAC) or asymmetric key (RSA, EC). The payload is encoded, not encrypted; anyone with the token can read it.

Common claims

• sub: subject, the user or entity the token is about
• iss: issuer
• aud: audience, the intended recipient service
• exp: expiry timestamp
• nbf: not-before timestamp
• iat: issued-at timestamp
• jti: JWT ID, useful for revocation tracking

Specification

Defined by RFC 7519. Related specifications cover signing (JWS, RFC 7515), encryption (JWE, RFC 7516), and key formats (JWK, RFC 7517).