JWT is used for user authentication and is passed between the user and the server. The full definition of the acronym is JSON Web Token. The way they work is to encode the user identity and sign it digitally, making it an unforgeable token that identifies the user, and the application can later control access for the user based on their identity.
A JWT is a string composed of the header, payload, and signature. Those three parts are separated by a
.. Here is an example:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NjQ5ODI5OTcs Im5iZiI6MTU2NDk4Mjk5NywianRpIjoiMGIzOTVlODQtNjFjMy00NjM3LTkwMzYtZjgyZDgy YTllNzc5IiwiZXhwIjoxNTY0OTgzODk3LCJpZGVudGl0eSI6MywiZnJlc2giOmZhbHNlLCJ 0eXBlIjoiYWNjZXNzIn0.t6F3cnAmbUXY_PwLnnBkKD3Z6aJNvIDQ6khMJWj9xZM
The header of the JWT contains the encryption type,
"alg": "HS256", and the encryption algorithm,
"typ": "JWT". We can see this clearly if we
base64 decode the header string: