JSON Web Tokens (JWT): Securely Sharing Identity in the Web

Rohit Sonar Blogs
Rohit Sonar
Cover Image of the article

Have you ever logged into a website and wondered how it remembers who you are as you navigate from page to page? One popular answer is the JSON Web Token, or JWT. JWTs let servers and clients exchange identity data in a compact, self-contained package that’s secure, easy to verify, and works across domains. Let’s unpack what a JWT is, how it works, and when you might use it in your applications.

What Is a JWT? A Tamper-Resistant ID Card

Think of a JWT as a sealed envelope containing a little ID card about you: your user ID, roles, or any other claims the server needs to know. That envelope has three parts:

  1. Header: Declares the token type (always “JWT”) and the signing algorithm (like HMAC or RSA).
  2. Payload: Contains your claims—information such as who you are, when the token expires, or any custom data your app needs.
  3. Signature: A cryptographic seal created by the server using a secret key (or private key). The signature ensures no one can tamper with the header or payload without invalidating the seal.

You combine these parts into a string separated by dots, and you get something like:

eyJhbGciOi….<payload>….<signature>

That string can travel safely over the internet, stored in a cookie or HTTP header.

How JWTs Work in Practice

When you log in, the server validates your credentials and issues a JWT containing your user identity and any permissions you’ve been granted. On subsequent requests, your client sends that token back to the server. The server:

  1. Parses the token’s header and payload.
  2. Verifies the signature using its secret key to ensure the token hasn’t been altered.
  3. Checks standard claims like expiration time to make sure the token is still valid.
  4. Grants access or returns data based on the claims inside.

Because the token itself carries all the necessary information and is self-verifiable, the server doesn’t need to store session data. That makes JWTs especially handy for stateless, distributed systems or microservices architectures.

Claims and Custom Data

JWTs come with a few standard claims—fields the JWT specification reserves for common needs:

  • iss (issuer): Who issued the token.
  • sub (subject): The principal that the token refers to, often a user ID.
  • exp (expiration): When the token expires, expressed in seconds since the epoch.

Beyond those, you can add any custom claims you like: a user’s role, organisation ID, or feature-flag settings. Just be mindful: whatever you put in the payload is visible to anyone who inspects the token. Never include passwords or other secrets in the payload.

Signing vs. Encryption

JWTs are usually signed but not encrypted. Signing guarantees integrity—no one can change the payload without detection—but does not hide the data. If you need confidentiality, you can nest a JWT inside an encrypted payload (sometimes called a JWE), or secure your transport layer with HTTPS so that tokens travel safely.

Where JWTs Shine

  • Single-Page Applications (SPAs) and mobile apps, where the client needs to carry session state without server-side storage.
  • Microservices that need to authenticate calls between services without a central session store.
  • Cross-domain authentication, where carrying a self-contained token is easier than sharing cookies.

In each case, JWTs enable stateless authentication: each request carries all the context the server needs.

Pitfalls and Best Practices

  • Short Lifetimes: Keep tokens short-lived to reduce the window for misuse if they leak.
  • Secure Storage: Store tokens in secure, same-site cookies or in-memory stores; avoid local storage if you can.
  • Revocation: Since JWTs are stateless, revoking a token early is tricky. Use refresh tokens with a revocation mechanism or track revoked token IDs in a fast lookup.
  • Algorithm Safety: Always explicitly declare and verify the algorithm in the header. Don’t trust tokens that omit or misuse the “alg” field.

By following these guidelines, you’ll reduce the risk of token misuse or replay attacks.

Wrapping Up

JSON Web Tokens offer a flexible, scalable way to share user identity and authorization data across modern web and mobile applications. They give you stateless sessions, cross-service authentication, and easy integration with third-party identity providers. When you need a secure, compact way to carry claims between parties, JWTs are a powerful tool to have in your toolbox.