What is JSON Web Token (JWT)

A jwt look like this: (No worry, it has already been expired a long time ago)


A JWT consist of 3 parts, header, payload, and verify signature, and the are separated by . In the about case, we have:

//Verify signature

The all part are encoded using base64, so you can use a base64 decoder to view the content. For example eyJhbGciOiJIUzI1NiJ9 ========base64 decode=====⇒ {“alg”:“HS256”}. You can play around in https://www.base64decode.org/. Likewise for the Payload, so if the token is leaked, the payload can be read by anyone! All in all, you do not want the token to be leaked, and share around even if it has already expired It might still contain sensitive information.

The verify signature is the signature of the algorithm mentioned in the header of base64 encoded header and base64 encoded payload with a “.” in the middle. In this case it the result of HS256(eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJmYWtlX2xvZ2luIiwiZXhwIjoxNjA0NTM4ODIwLCJyb2xlcyI6IlJPTEVfVVNFUiwifQ).

jwt.io has an interactive JWT encode/decoder, you can play it around on https://jwt.io/.

  • springboot/what_is_json_web_token_jwt.txt
  • Last modified: 2020/11/05 09:28
  • by chongtin