Alisson's Notes

Pesquisar

SearchSearch

JWT Token

11 de mai. de 2025Leitura de 2 min

A JSON Web Token (JWT) is composed of three parts—Header, Payload (Claims), and Signature—and within those the “basic parameters” you’ll most often see are:

1. Header

  • alg (Algorithm): The signing algorithm used (e.g. HS256, RS256).
  • typ (Type): Always “JWT” for a JSON Web Token.
  • kid (Key ID, optional): Identifier for the key used to sign the token, useful when you rotate keys.

2. Payload (Registered Claims)

These are the standard, registered claims defined by the JWT spec (RFC 7519). You don’t have to include all of them, but these are the most common:

  • iss (Issuer): Who issued the token (e.g. your auth server).
  • sub (Subject): The principal about whom the token asserts information (often the user ID).
  • aud (Audience): Recipient(s) that the token is intended for (e.g. your API).
  • exp (Expiration Time): Timestamp (in seconds since epoch) after which the token must be considered invalid.
  • nbf (Not Before, optional): Timestamp before which the token must not be accepted.
  • iat (Issued At): Timestamp when the token was issued.
  • jti (JWT ID, optional): Unique identifier for this token, to prevent replay attacks.

3. Payload (Public & Private Claims)

  • Public claims: You can define additional, namespace-qualified claims that are publicly shareable (e.g. you might add “roles”: [“admin”,“user”]).
  • Private claims: Custom, application-specific claims agreed upon by issuer and consumer (e.g. “tenant_id”: 1234).

4. Signature

  • Computed over the Base64URL-encoded Header and Payload with the secret or private key and the specified algorithm.
  • Ensures integrity (the token wasn’t tampered with) and, for asymmetric algorithms, authenticity (it was signed by the issuer).

Typical Minimal Example

// Header
{
  "alg": "HS256",
  "typ": "JWT"
}
 
// Payload
{
  "iss": "https://auth.example.com/",
  "sub": "user-123",
  "aud": "https://api.example.com/",
  "iat": 1715400000,
  "exp": 1715403600
}
 
// Signature
HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  your-256-bit-secret
)

Key Takeaways

  • Header tells you how it’s signed.
  • Payload carries the data (standard claims for control plus any custom data).
  • Signature guarantees the token’s integrity and origin.
  • Always enforce exp (and nbf, if used) checks on the receiving side.

Visão de gráfico

Backlinks

  • Sem backlinks encontrados