What is JWT (JSON Web Token)?
#json#web#jwt#webdev
Carrie

Carrie @carrie_luo1

About: Cybersecurity Engineer | Follow Me and Learn Web Application Security Step by Step

Joined:
Sep 10, 2024

What is JWT (JSON Web Token)?

Publish Date: Aug 7
6 0

In modern web development, secure user authentication and data exchange are essential. One of the most popular methods for achieving this is using JWT (JSON Web Token).

But what exactly is a JWT, and why is it widely used in APIs and web applications?

What is JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way to securely transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

JWTs are often used for authentication and authorization in web applications.

JWT Structure

A JWT typically consists of three parts, separated by dots:
xxxxx.yyyyy.zzzzz

These parts are:

  1. Header

    Contains the type of the token (JWT) and the signing algorithm (e.g., HS256 or RS256).

  2. Payload

    Contains the claims or data (such as user ID, role, expiration time). This part is not encrypted, so never include sensitive data.

  3. Signature

    Used to verify the token was not modified and is from a trusted source.

Example:

  • eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
  • eyJ1c2VyX2lkIjoxMjMsImV4cCI6MTcwMDAwMDAwMH0
  • SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

How JWT Works

  1. Login: The user logs in with their credentials.
  2. Token Issued: The server verifies the credentials and sends back a signed JWT.
  3. Client Stores Token: Usually in localStorage or cookies.
  4. Authenticated Requests: The client includes the JWT in the Authorization header for each request.
  5. Server Validates: The server validates the signature and checks token expiration.

This stateless approach removes the need for server-side sessions.

Benefits of Using JWT

  • Stateless: No need to store sessions on the server.
  • Scalable: Easy to use across microservices.
  • Compact: Small size, ideal for mobile or web environments.
  • Cross-platform: JWTs are language-agnostic and widely supported.

Common JWT Pitfalls

  • Do not store sensitive data in the payload (it's base64-encoded, not encrypted).
  • Always validate expiration (exp).
  • Use HTTPS to prevent token interception.
  • Rotate secrets regularly if using symmetric algorithms.

How SafeLine Helps

JWT is a powerful tool, but like all security mechanisms, it must be used properly. If you're running your own backend services or APIs, protecting them from injection, abuse, or misuse is critical.

SafeLine is a self-hosted, open-source Web Application Firewall (WAF) that can help defend your APIs—even those using JWT—from common attacks such as:

  • JWT manipulation attempts
  • Path traversal
  • SQL injection
  • Rate abuse

With SafeLine, you can deploy application-layer protection without giving up control to third-party services.

SafeLine Website: https://ly.safepoint.cloud/ShZAy9x
Live Demo: https://demo.waf.chaitin.com:9443/statistics
Discord: https://discord.gg/dy3JT7dkmY
Doc: https://docs.waf.chaitin.com/en/home

Comments 0 total

    Add comment