Learn about Json Web Token – Jwt

Tram Ho

1. What is Json Web Token?

Suppose, to transmit confidential information from Mr. A to a person in organization A, how to recognize that person B also belongs to organization A? At that time, organization A came up with an idea, giving Mr. A a code so that before receiving or transmitting information, it will give a password to identify it as Mr. A. Through the above example, like termites. In the relationship between server and client, Mr. A will represent the server, organization A is similar to the client and the password to identify Mr. A is called Jwt .

How access token works

  1. When successfully logged in, the server will send the client an access token in the form of Jwt.
  2. The client stores the token and in each subsequent request will send the token on the header – depending on the writing style, there will be a different header name (Jwt-Authorization, JwtAuthorization, …).
  3. Server verify access token and return response to client if token is valid.

2. What is Jwt?

According to the definition of Jwt generated by Auth0 , a valid Jwt token consists of 3 parts: header, payload and signature are separated by a period “.”


Usually consists of 2 main parts, 1 is the token form – Jwt and the decryption algorithm used.

Information will be encoded by Base64url to create a complete header:


The place will contain the information necessary to identify the user and the duration of access such as user_id, role, login_token, exp, …

Values ​​such as iat, exp, iss … we call claims and there are 3 main types:

  • Register claims: A set of values predefined by Jwt – they are not mandatory but recommended , for example:
    • exp: represents expiration_time.
    • iat: the time a user requests login.

The difference of exp and iat will be the length of time the token is valid (in the example above exp – iat = 200).

  • Public claims: Defined by the community that uses Jwt – to avoid duplicating defined pubs on the IANA JSON Web Token Registry page.
  • Private claims: Created exclusively for an organization, or a specific project, accepted by insiders (Ex: login_token).

Similar to the header, the payload is encoded with Base64Url to make the second element in Jwt.

Note: Header and payload are only encoded with Base64Url, so be limited to sensitive information unless that information is encrypted (email, password, …)


The tool helps us to secure the valid token sent from the client to the server, made up of 3 parts:

HMACSHA256 is an algorithm, 2 encode parts of the header and payload + 1 secret key is generated from the project. Since the signature includes both the header and the payload, it can be determined that the content of the message hasn’t changed and who sent it.

Putting it all together we get a complete Jwt:

3. Finish

Through this article, we hope everyone has a better overview of Jwt or how an access_token works between client and server, in the next article I will introduce the implementation of Jwt in rails. Have a nice working day everyone! Happy coding!

Share the news now

Source : Viblo