System Designer
Back to Technology

JSON Web Tokens (JWT)

Master stateless authentication with secure, self-contained token-based systems

35 min read
Not Started

What is JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed using either a secret (HMAC) or a public/private key pair (RSA or ECDSA).

JWTs are commonly used for authentication and information exchange in web applications, APIs, and microservices architectures. They provide a stateless way to maintain user sessions and convey user identity and authorization information without requiring server-side session storage. The self-contained nature of JWTs makes them ideal for distributed systems and single sign-on scenarios.

JWT Performance Calculator

489B
Token Size
100
Security Score
1.2ms
Signing Time
833
Max TPS

CPU Usage: 100%

Bandwidth: 5512 Kbps

Key Size: 256 bytes

JWT Structure

Complete JWT Format

A JWT consists of three Base64-encoded parts separated by dots (.).

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header
Algorithm & Token Type
Payload
Claims & Data
Signature
Verification Hash

Header

Contains algorithm and token type information.

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

Contains claims about the entity and additional data.

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature

Verifies the token integrity and authenticity.

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

JWT Claims Types

Registered Claims

Predefined claims with specific meanings.

• iss (issuer)
• sub (subject)
• aud (audience)
• exp (expiration)
• nbf (not before)
• iat (issued at)
• jti (JWT ID)

Public Claims

Claims defined in the JWT registry or with collision-resistant names.

• name
• email
• picture
• locale
• https://example.com/custom
• URI namespaced claims

Private Claims

Custom claims created for sharing information between parties.

• user_id
• role
• permissions
• organization
• custom_data
• application-specific

JWT Signing Algorithms

HMAC (Symmetric)

Uses a shared secret for both signing and verification.

• HS256 (HMAC + SHA256)
• HS384 (HMAC + SHA384)
• HS512 (HMAC + SHA512)
• Fast performance
• Shared secret required
• Not suitable for public verification

RSA (Asymmetric)

Uses private key for signing, public key for verification.

• RS256 (RSA + SHA256)
• RS384 (RSA + SHA384)
• RS512 (RSA + SHA512)
• Public verification
• Larger key sizes
• Slower than HMAC

ECDSA (Asymmetric)

Elliptic curve signatures with smaller keys and better performance.

• ES256 (ECDSA + SHA256)
• ES384 (ECDSA + SHA384)
• ES512 (ECDSA + SHA512)
• Smaller key sizes
• Better performance than RSA
• High security level

RSA-PSS (Asymmetric)

RSA with Probabilistic Signature Scheme for enhanced security.

• PS256 (RSA-PSS + SHA256)
• PS384 (RSA-PSS + SHA384)
• PS512 (RSA-PSS + SHA512)
• Enhanced security
• Probabilistic padding
• Slower than standard RSA

JWT Use Cases

Authentication

Stateless user authentication without server-side sessions.

  • • Single sign-on (SSO)
  • • Mobile app authentication
  • • API authentication
  • • Microservices identity

Information Exchange

Secure transmission of information between parties.

  • • User profile data
  • • Authorization permissions
  • • Configuration settings
  • • Temporary access grants

API Security

Securing API endpoints with verifiable tokens.

  • • REST API authentication
  • • GraphQL authorization
  • • Microservices communication
  • • Third-party integrations

Session Management

Managing user sessions in distributed systems.

  • • Web application sessions
  • • Cross-domain authentication
  • • Load balancer compatibility
  • • Horizontal scaling

JWT Security Best Practices

✅ Do

  • • Use strong signing algorithms (ES256, RS256)
  • • Keep token lifetime short (15-30 minutes)
  • • Validate all claims (iss, aud, exp, nbf)
  • • Store secrets securely
  • • Implement token blacklisting for logout
  • • Use HTTPS for token transmission
  • • Implement proper error handling

❌ Don't

  • • Store sensitive data in JWT payload
  • • Use 'none' algorithm in production
  • • Skip signature verification
  • • Use weak secrets for HMAC
  • • Ignore token expiration
  • • Store JWTs in localStorage without encryption
  • • Use JWTs for server-side sessions

JWT Implementation Example

Creating a JWT (Node.js)

Creating a JWT (Node.js)
const jwt = require('jsonwebtoken');

const payload = {
  sub: '1234567890',
  name: 'John Doe',
  iat: Math.floor(Date.now() / 1000),
  exp: Math.floor(Date.now() / 1000) + (60 * 60) // 1 hour
};

const secret = 'your-256-bit-secret';
const token = jwt.sign(payload, secret, { algorithm: 'HS256' });

Verifying a JWT

Verifying a JWT
try {
  const decoded = jwt.verify(token, secret);
  console.log('Token is valid:', decoded);
  
  // Check additional claims
  if (decoded.exp < Math.floor(Date.now() / 1000)) {
    throw new Error('Token expired');
  }
} catch (error) {
  console.error('Token validation failed:', error.message);
}

📝 JWT Quiz

1 of 6Current: 0/6

What does JWT stand for?