“Understanding JWT: A Deep Dive into JSON Web Tokens and their Internal Mechanics”

JWT stands for JSON Web Token. It is a compact, URL-safe means of representing claims between two parties. JWTs are often used for authentication and authorization purposes in web applications and APIs.

Internally, a JWT consists of three parts: a header, a payload, and a signature, which are concatenated with dots to form a string in the format `header.payload.signature`.

1. Header: The header typically consists of two parts: the token type (which is JWT) and the signing algorithm used to create the signature. For example:

{
 "alg": "HS256",
 "typ": "JWT"
 }

2. Payload: The payload contains the claims, which are statements about an entity (typically the user) and additional metadata. There are three types of claims: registered claims, public claims, and private claims. Registered claims include predefined claims such as “iss” (issuer), “sub” (subject), “exp” (expiration time), “iat” (issued at), etc. Public claims are defined by the users of JWT, and private claims are custom claims used by specific applications. For example:

{
 "sub": "1234567890",
 "name": "John Doe",
 "admin": true
 }

3. Signature: The signature is created by taking the encoded header, the encoded payload, a secret key (or a public/private key pair), and applying the specified algorithm from the header. The signature is used to verify the integrity of the token and ensure that it has not been tampered with.

To create a JWT, the following steps are typically followed:

1. Create the header and payload as JSON objects.
2. Base64URL encode the header and payload separately to form the first two parts of the JWT.
3. Concatenate the encoded header and payload with a dot.
4. Sign the concatenated string using a secret key or private key and the algorithm specified in the header to generate the signature.
5. Base64URL encode the signature.
6. Concatenate the encoded signature with the previously created string using dots to form the complete JWT.

Here’s an example of a JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaXNzIjoiVGVzdCBpcyBhIHN0b3JlIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

In the example above:
- The header specifies that the “HS256” algorithm should be used.
- The payload contains a subject (“sub”), a name, and an issuer (“iss”).
- The signature is generated using a secret key and the HMAC-SHA256 algorithm.

When the receiver of the JWT gets it, they can perform the following steps to validate and extract the information:

1. Split the JWT into its three parts: header, payload, and signature.
2. Verify the signature by re-computing it using the header, payload, and the same algorithm and key that were used to generate the original signature.
3. Ensure that the signature matches the one extracted from the JWT.
4. Validate the claims, such as the expiration time (“exp”), to ensure the token is still valid and has not expired.
5. Extract the information from the payload to use it for authentication and authorization purposes.

JWTs provide a self-contained mechanism for transmitting information between parties, enabling secure communication and allowing systems to trust the information contained within the token without relying on a centralized authority.