What is JWT?

API based software development has hugely increased. Now we need to think how are we going to secure API based application. In my previous post I explained how to use token based authentication. In this post we will look how to use JSON web tokens and how to secure api based applications using that.
JSON web tokens(JWT - pronounced as jot), work across difference programming languages. A JWT can be separated into three parts by a dot (.).

• Header
• Payload
• Signature

Header

Header contains, type and hashing algorithm.

Payload

Payload contains JWT claims. There are three claim types.

• Registered claims

Claims that are not mandatory but whose names are registered for us. For example: The issuer of the token (iss), Subject of the token (sub), expiration of token (exp) and etc.

• Public claims

These are claims defined by API owner. For example: Username and other important data.

• Private claims

These are claims defined between producer and consumer of API.

Signature

The signature is made up of hash of following components.

• Header
• Payload
• Secret (This value is held in server)

After that, in each request server needs to decode JWT and check payload claims.

According to claims, server can grant or deny functionalities.