Understanding JSON Web Tokens (JWT): Structure, Creation, and Usage

JSON Web Token (JWT) is a lightweight specification that enables secure information exchange between a user and a server.

Consider a scenario where user A follows user B; the system sends an email to B with a link like https://your.awesome-app.com/make-friend/?from_user=B&target_user=A . This approach requires B to be logged in, but JWT can simplify the process so B can act without logging in.

JWT Components

A JWT is a string composed of three parts: Header , Payload , and Signature .

Payload

The payload is a JSON object that carries claims such as iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at), and custom fields like from_user and target_user :

{
  "iss": "John Wu JWT",
  "iat": 1441593502,
  "exp": 1441594722,
  "aud": "www.example.com",
  "sub": "[email protected]",
  "from_user": "B",
  "target_user": "A"
}

These standard fields are defined by the JWT specification.

Base64‑url encode the JSON payload to obtain the JWT payload string, e.g.:

eyJpc3MiOiJKb2huIFd1IEpXVCIsImlhdCI6MTQ0MTU5MzUwMiwiZXhwIjoxNDQxNTk0NzIyLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJqcm9ja2V0QGV4YW1wbGUuY29tIiwiZnJvbV91c2VyIjoiQiIsInRhcmdldF91c2VyIjoiQSJ9

In Node.js you can generate this string with the base64url package:

var base64url = require('base64url');
var header = { "from_user": "B", "target_user": "A" };
console.log(base64url(JSON.stringify(header)));
// output: eyJpc3MiOiJKb2huIFd1IEpXVCIsImlhdCI6MTQ0MTU5MzUwMiwiZXhwIjoxNDQxNTk0NzIyLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJqcm9ja2V0QGV4YW1wbGUuY29tIiwiZnJvbV91c2VyIjoiQiIsInRhcmdldF91c2VyIjoiQSJ9

Header

The header describes the token type and signing algorithm, for example:

{
  "typ": "JWT",
  "alg": "HS256"
}

After Base64‑url encoding, the header becomes:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9

Signature

Combine the encoded header and payload with a period (.) and sign the result using the algorithm specified in the header and a secret key (e.g., mystar ), producing a signature such as:

rSWamyAYwuHCo7IFAgd1oRpSP7nzL7BF5t7ItqpKViM

The complete JWT is:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcm9tX3VzZXIiOiJCIiwidGFyZ2V0X3VzZXIiOiJBIn0.rSWamyAYwuHCo7IFAgd1oRpSP7nzL7BF5t7ItqpKViM

Using this token, the email link can be simplified to:

https://your.awesome-app.com/make-friend/?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcm9tX3VzZXIiOiJCIiwidGFyZ2V0X3VzZXIiOiJBIn0.rSWamyAYwuHCo7IFAgd1oRpSP7nzL7BF5t7ItqpKViM

This allows the friend‑adding operation to be performed securely without requiring B to log in.

Note: Base64 is an encoding, not encryption; it can be decoded back to the original data.

Purpose of the Signature

The signature ensures that any modification to the header or payload will produce a different signature, and without the secret key the attacker cannot forge a valid signature. The server verifies the signature using the same algorithm and secret; a mismatch results in a 401 Unauthorized response.

Is Information Exposed?

Since the payload is only Base64‑encoded, it is readable to anyone with the token. Therefore, sensitive data (e.g., passwords) should never be placed in the payload; only non‑sensitive identifiers like user IDs are appropriate.

Applicable Scenarios

JWTs are suitable for transmitting non‑sensitive data in web applications, such as friend‑adding links, order confirmations, and especially for authentication and authorization mechanisms, including single‑sign‑on (SSO).