JWT
(Redirected from JSON Web Token)
This article is a stub. You can help the IndieWeb wiki by expanding it.
JWT (JSON Web Token) is a method of encoding and signing JSON data in a URL-safe string.
While JWT is actually designed to represent auth "claims," it can also serve as a general-purpose signing method ignoring all well-defined property names in the spec.
An example JWT in its encoded format looks like the below:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ zdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4 gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJ SMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Extracting the contents of the above JWT results in the JSON object below:
{ "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }
NOTE: You must validate the signature of the JWT before using the data in the claims, otherwise people can easily hack your software! If you don't validate the signature, anyone can create a similar-looking JWT and do things like replace usernames to log in as other people.
Resources
- jsonwebtoken.io
- Ruby Implementation
- PHP Implementation
- My Favorite Database is the Network
- Stop Using JWT for Sessions