Understanding JWT

How authentication with JSON Web Token (JWT) works


JSON Web Tokens (JWT) have become a popular method for implementing authentication in web applications. This article delves into the inner workings of JWT authentication, exploring the concepts, structure, and implementation with code examples.

What is JWT?

JWT is a compact, URL-safe means of representing claims to be transferred between two parties. These claims are typically statements about an entity (e.g., user) and can be verified to ensure the integrity of the information.

Anatomy of a JWT

Components of a JWT

A JWT consists of three parts: Header, Payload, and Signature.

  1. Header: Specifies the type of token (JWT) and the signing algorithm being used.
  "alg": "HS256",
  "typ": "JWT"
  1. Payload: Contains claims. Claims are statements about an entity (typically, the user) and additional metadata.
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
  1. Signature: Created by combining the encoded header, encoded payload, and a secret key. This signature ensures the integrity of the token.

Combining the Parts

The final JWT somewhat looks like this:


How JWT Authentication Works

Step 1: User Authentication

When a user logs in, the server generates a JWT containing relevant user information.

Step 2: Sending the JWT to the Client

The server sends the JWT to the client, who stores it, typically in a cookie or local storage.

Step 3: Including JWT in Subsequent Requests

For authenticated requests, the client includes the JWT in the Authorization header or as a parameter.

GET /api/user
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Step 4: Server Verification

The server verifies the signature using its secret key. If valid, it trusts the information in the JWT and processes the request.

Node.js Example

Generating a JWT

const jwt = require('jsonwebtoken');
const user = { id: 1, username: 'john.doe' };
const secretKey = 'your-secret-key';
const token = jwt.sign(user, secretKey, { expiresIn: '1h' });

Verifying a JWT

const jwt = require('jsonwebtoken');
const token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'; // Your JWT
const secretKey = 'your-secret-key';
jwt.verify(token, secretKey, (err, decoded) => {
  if (err) {
    console.error('Invalid token');
  } else {

Best Practices and Considerations

  • Keep Secrets Secure: Protect your secret key; it's crucial for JWT security.

  • Token Expiry: Set a reasonable expiration time for tokens to enhance security.

  • HTTPS Usage: Always use HTTPS to encrypt data during transit.


JWT authentication provides a scalable and stateless way to handle user authentication in web applications. By understanding its structure and implementation, developers can make informed decisions about when and how to leverage JWTs for secure user authentication.