JWT is that simple


Articles are not guaranteed to be up-to-date. Please visit the blog for the latest version www.huborui.com/ see.

JSON Web TokenIs a very simple and practical specification, through which you can transfer safe and reliable data before the client and server.

JWT consists of three parts

  • Head
  • Load (payload)
  • Signature

Use these three parts.Connect to make a JWT(header.payload.signature)。

The principle from JWT generation to data acquisition is shown in the following three parts.


The header describes the basic information of JWT, such as type, signature algorithm, etc.

    //The type is JWT
    "typ": "JWT",
    //Hs256 algorithm
    "alg": "HS256"

On the headerBase64Code to get the first part.


Yes, Base64 encoding is not encryption, can be restored! Is our JWT secure without encryption? Keep looking.


Payload is a place to carry data. We can put the data that needs to be delivered to the server in the payload.

Since our baby data is on payload, will it be encrypted?

can’t! Or Base64 encoding, can be restored! So don’t put valuable data in it.

    //Five words are officially defined to identify some information
    //JWT signer
    "iss": "god",
    //When will it be issued 
    "iat": 1441525213,
    //When does exp expire UNIX timestamp
    "exp": 1441525324,
    //Users receiving Jew
    "aud": "[email protected]"
    //JWT for users
    "sub": "[email protected]"
    //The rest can be defined by yourself
    "userID": 12345,

Still Base64 encoding, get the second part of the string and header.Put it together.


Don’t worry. Do you think it is plain text data. How can the server judge the truth and falsehood of JWT? Next, we have to sign the encryption link.


In the signature phase, we need to provide a secret that only you know, which is used for the linked header and payloadHS256Algorithm encryption, get the encrypted string, and spell together with the previous:


Three parts are successful! JWT construction succeeded!

Anti counterfeiting

Can JWT be forged? Think about it carefully. If you don’t know the server’s key and manually modify any part of the header or payload, you will get a different Base64 code. The signature generated by the new code through the key must be different from the old one. Without the correct signature, the server will directly return an error.

The process of verifying a JWT by the server is also simple:

  1. JWT received
  2. The header and payload are signed with the key and the corresponding algorithm
  3. Determine whether the generated signature is consistent with the third part of JWT
  4. If it is inconsistent, an error is returned, and if it is consistent, the data in the payload is trusted


The core of JWT is the key. If you have the key, you have the right to generate JWT (never disclose it).

The data in payload is not encrypted. Do not put sensitive data.

reference material

  • JSON web token – securely transfer information between web applications
  • Eight comics understand the design of single sign in system by JSON web token