Understanding JSON Web Tokens

𝗧𝗵𝗶𝗻𝗸 𝗼𝗳 𝘁𝗵𝗶𝘀: a user logs in to your application. Instead of storing their credentials on your server, you issue a unique JSON Web Token(JWT) containing their essential information. This token, like a signed passport, grants them access to authorized resources across different parts of your system without needing to re-authenticate. 𝗨𝗻𝗱𝗲𝗿 𝘁𝗵𝗲 𝗵𝗼𝗼𝗱, 𝗝𝗪𝗧𝘀 𝘄𝗼𝗿𝗸 𝗹𝗶𝗸𝗲 𝘁𝗵𝗶𝘀: 1. 𝗟𝗼𝗴𝗶𝗻: The user submits their credentials (username/password).     2. 𝗧𝗼𝗸𝗲𝗻 𝗚𝗲𝗻𝗲𝗿𝗮𝘁𝗶𝗼𝗻: If valid, the server crafts a JWT. This token has three parts:         Header: Contains metadata about the token itself, like its type and algorithm used for signing.         Payload: Holds the actual user claims (information), such as username, roles, and permissions.         Signature: This digitally signed part, using a secret key, ensures the token's integrity and authenticity.     3. 𝗧𝗼𝗸𝗲𝗻 𝗗𝗲𝗹𝗶𝘃𝗲𝗿𝘆: The server sends the JWT back to the user's client (browser/app).     4. 𝗥𝗲𝘀𝗼𝘂𝗿𝗰𝗲 𝗔𝗰𝗰𝗲𝘀𝘀: On subsequent requests, the client includes the JWT in the authorization header.     5. 𝗧𝗼𝗸𝗲𝗻 𝗩𝗲𝗿𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻: The server receives the JWT and verifies its signature using the same secret key. If valid, it extracts the user claims and grants access based on the information. 𝗪𝗵𝘆 𝗮𝗿𝗲 𝗝𝗪𝗧𝘀 𝗮𝗱𝘃𝗮𝗻𝘁𝗮𝗴𝗲𝗼𝘂𝘀? Security: Self-contained and digitally signed, they resist tampering and session hijacking. Stateless: No server-side session storage, leading to better scalability and performance. Flexible: Carrying various claims, they enable fine-grained access control and data sharing between microservices. Performance: Faster authentication translates to smoother user experiences and quicker API responses. 𝗝𝗪𝗧𝘀 𝗱𝗼𝗻'𝘁 𝘀𝘁𝗼𝗽 𝗮𝘁 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻: Authorization Management: Embed user roles and permissions within the token for granular access control. Secure Data Exchange: Use JWTs as encrypted carriers for secure data transfer between applications.

TECHNICAL BREAKDOWN ⚙️ Here’s how I developed the patient login feature in one of the mobile apps I built. Most of the work was in implementing authentication and authorization logic at the API-layer; which is built using Node.js (JavaScript server-side runtime) and Express.js (web application framework that runs on Node). ⠀ I implemented token-based authentication using JSON web tokens (JWTs); JWTs are compact, self-contained tokens used for securely transmitting information between parties as a JSON object. - A JWT is signed by the server using a secret key and contains a signature; ensuring that the token was not modified and was indeed signed by the same server. - A JWT also includes a payload of ‘claims’ between the server and client; this usually includes things like the user ID, token expiration time, etc. The flow: — The mobile app makes a sign-in request (username/password) to the API — If authentication is successful, then the API generates and signs a JWT using a private key; also including the claims (user ID, expiration time, etc.) — The API returns the JWT back to the mobile app in it’s response, as well as the logged-in user’s account data — The mobile app stores the JWT to use on any subsequent requests to the API to authorize usage (new appointment, edit account, etc.) — On the subsequent calls, the API verifies the JWT using the private key, and authorizes operations for that user based on the claims in the JWT Advantages of using JWTs — The client (mobile app) doesn’t need to insecurely store the logged-in user’s credentials; only the JWT — A JWT is self-contained; all the information about an authenticated user/session is in the JWT, removing the need for the server to hold session state — Condusive to single sign-on solutions What do you think; make sense? Any experience using JWTs yet?

Things Every Developer Should Know: JSON Web Token (JWT). JWTs are one of the most widely used methods for API authentication, providing a secure, stateless and scalable way to verify clients. 𝗛𝗲𝗿𝗲’𝘀 𝗮 𝘀𝗶𝗺𝗽𝗹𝗲-𝘁𝗼-𝘂𝗻𝗱𝗲𝗿𝘀𝘁𝗮𝗻𝗱 𝗯𝗿𝗲𝗮𝗸𝗱𝗼𝘄𝗻 𝗼𝗳 𝗵𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀, 𝘀𝘁𝗲𝗽 𝗯𝘆 𝘀𝘁𝗲𝗽: 𝟭) 𝗖𝗹𝗶𝗲𝗻𝘁 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 The client (a user, app, or device) provides credentials (eg; username/password) to the authentication server. 𝟮) 𝗦𝗲𝗿𝘃𝗲𝗿 𝘃𝗲𝗿𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻 The authentication server checks the credentials against its database or identity provider to confirm their validity. 𝟯) 𝗝𝗪𝗧 𝗶𝘀𝘀𝘂𝗮𝗻𝗰𝗲 If authentication is successful, the server: ☑ Generates a JWT with claims (eg; user ID, roles, permissions). ☑ Signs the JWT using a secret key (HS256) or a private key (RS256). 𝟰) 𝗧𝗼𝗸𝗲𝗻 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝘆 The server sends the signed JWT back to the client in the response. 𝟱) 𝗦𝗲𝗰𝘂𝗿𝗲 𝘀𝘁𝗼𝗿𝗮𝗴𝗲 The client stores the JWT securely to prevent unauthorized access. HTTP-only cookies are the most secure and widely used method. 𝟲) 𝗔𝗣𝗜 𝗿𝗲𝗾𝘂𝗲𝘀𝘁𝘀 𝘄𝗶𝘁𝗵 𝗝𝗪𝗧 For each request to a protected API, the client includes the JWT in the Authorization header: `Authorization: Bearer <JWT>` 𝟳) 𝗦𝗲𝗿𝘃𝗲𝗿 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗲𝘀 𝘁𝗵𝗲 𝗝𝗪𝗧 The API server verifies the JWT before granting access by checking: ☑ Signature – Confirms token integrity (not tampered with). ☑ Expiration – Ensures the token hasn’t expired. ☑ Audience (aud claim) – Checks if the token is meant for this API. ☑ Issuer (iss claim) – Confirms the token was issued by a trusted authority. If the JWT is valid, the server grants access to the requested resource. Otherwise, it rejects the request (401 Unauthorized). 𝟴) 𝗧𝗼𝗸𝗲𝗻 𝗲𝘅𝗽𝗶𝗿𝗮𝘁𝗶𝗼𝗻 & 𝗿𝗲𝗳𝗿𝗲𝘀𝗵 Since JWTs expire for security reasons, the client needs a refresh token to get a new one: ↳ Client sends refresh token to the server. ↳ Server verifies & issues a new JWT if the refresh token is valid. ↳ New JWT replaces the expired one, and the client continues making requests. This workflow ensures secure, stateless, and efficient authentication for APIs while keeping performance and scalability in check. 💭 Over to you: What authentication methods do you like to use? ~~ Thank you to our partner AWS who keeps our content free to the community. 𝗧𝗵𝗲 𝗔𝗪𝗦 𝗗𝗲𝘃𝗲𝗹𝗼𝗽𝗲𝗿 𝗖𝗲𝗻𝘁𝗲𝗿 𝗶𝘀 𝗮 𝗴𝗼𝗹𝗱𝗺𝗶𝗻𝗲 𝗼𝗳 𝗹𝗲𝗮𝗿𝗻𝗶𝗻𝗴 𝗿𝗲𝘀𝗼𝘂𝗿𝗰𝗲𝘀. From DevOps to Gen AI, they’ve got you covered. The best part? It’s all free! Source: Nikki Siapno

What are JWT Tokens? How do apps know who you are without storing your credentials again and again? It all starts with something called a JWT (JSON Web Token). It’s compact. It is URL-safe. And it’s everywhere. Here’s how it works: - You log in → Auth server verifies your credentials - Server sends back a token - You use that token in every future request - Server checks the token → grants access - No sessions. No backend memory. Pure stateless magic. That token is a JWT. So, what’s inside this token? A JWT has 3 parts: 1. Header → Info about the type & signing algorithm 2. Payload → Data about you: user ID, email, expiry time 3. Signature → A cryptographic proof that no one has tampered with the token It looks like this: HHHHHHH.PPPPPP.SSSSSSSSS And even though it looks random, it’s all Base64 encoded, meaning machines can read and verify it in milliseconds. But here’s the catch: - Don’t put sensitive data in it. - Always verify the token before trusting it. JWTs are powerful but only when used right. Have you worked with JWTs in your systems? Where have you seen them work or fail? #JWT #WebSecurity #DevTools #Auth #Authentication #APIs #WebDevelopment #SoftwareEngineering