Do you know what's in a #JWT token?

Here's a quick thread to learn something about this! 👇
A JWT token (JSON Web Token) is just a string with a well-defined format. A sample token might look like this:

```
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJoZWxsbyI6ImZyb20gSldUIn0.XoByFQCJvii_iOTO4xlz23zXmb4yuzC3gqrWNt3EHrg
```
There are 3 parts separated by a `.` (dot) character:

- header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
- body: eyJoZWxsbyI6ImZyb20gSldUIn0
- signature: XoByFQCJvii_iOTO4xlz23zXmb4yuzC3gqrWNt3EHrg
Header and Body are JSON strings encoded using the Base64Url algorithm (a URL-safe variation of the standard Base64 encoding algorithm).

https://tools.ietf.org/html/rfc4648#section-5
If we decode them this is what we get:

- header: { "alg": "HS256", "typ": "JWT" }
- body: { "hello": "from JWT" }
The signature part contains bytes which represent a cryptographic signature of header and body (also encoded using Base64Url) and can be used to verify the authenticity of a token.
JWT tokens are mostly used as a mechanism for "stateless" authentication and authorization. Let's try to discuss what this means with a simple example:
In this picture, John is authenticating against an auth server. The auth server recognizes his credentials and gives him back a token. John can now use the token to connect to specific services.
When John makes a request to a service, he will attach his token. The service looks at the token to understand if the request is authorized.
The service can read the information embedded within the token to understand that the request is coming from John and can verify that the signature was applied by the Auth server.
This process is "stateless" because this validation can be done without having to make an explicit request to the Auth server. This is a great property for distributed systems or, in general, systems that deal with a high load of requests.
If you want to "debug" (or visualize) the content of a JWT token, you can use http://jwt.io  or a CLI tool such as jwtinfo ( https://github.com/lmammino/jwtinfo)
lmammino/jwtinfo

A command line tool to get information about JWT tokens - lmammino/jwtinfo

http://jwt.io
I hope this helps to shed some light on what JWT tokens are, how they work and when they can be used.

I posted this on dev as well, if you prefer a slightly more detailed format for this info: https://dev.to/loige/what-is-a-jwt-token-302k
What is a JWT token

A quick intro on what a JWT token is

https://dev.to/loige/what-is-a-jwt-token-302k
You can follow @loige.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more