In 2013 when we started building Auth0 we had to decide which standard we wanted our platform to be built on. Back then there was WS-Fed and SAML2. I was very familiar with both, having worked on many projects with Microsoft technologies. My main issue with these standards was that they were too complex: too many knobs and levers, interop issues and above all, a lack of libraries.
On the other extreme we had OAuth2 which was rapidly being adopted because of its simplicity. It was also being used by Facebook, Google and many others. There were already libraries written in many languages, making it even more appealing.
OpenID Connect was being drafted as a very thin layer on top of OAuth2 to overcome exactly that issue. With the introduction of JSON Web Tokens there was now a simple way of verifying user identity and audience (the consumer of these tokens).
Back then it was on draft-06, and I decided to join the Working Group.
Why is JWT so popular?
I think there are many reasons why JWT is being widely adopted:
- It embraces JSON which is already heavily adopted across many stacks.
- It is simple to use and simple to implement (hence more libraries and fewer interop issues).
- It supports symmetric and asymmetric crypto which solves the majority of use cases.
Numbers speak for themselves
About 2 years since the first draft this simple, yet useful standard expanded:
- 972 GitHub repos related to JWT.
- 2600+ StackOverflow threads.
- 400K page views on jwt.io.
- 50K Google results.
If you use Android, AWS, Microsoft Azure, Salesforce, or Google then chances are that you are already using JWT.
"If you use AWS, Microsoft Azure, Salesforce, or Google then chances are that you are already using JWT."
We very much believe in this standard so we wanted to keep making contributions to foster its adoption. We are happy to share the new logo, the new website, badges, and other things. :)
The central component of the branding is a logo symbol representing an individual JSON Web Token. The circular icon was designed to suggest a coin while avoiding being mistaken for a digital currency symbol.
Here are some initial sketches and colors:
We decided to use the starburst shape representing the crypto protection of a JSON Web Token. Multicolored spokes radiate from the centralized hub representing the various claims within a payload. Here is the final symbol:
JSON Web Token has been abbreviated to the initials JWT and custom lettering was developed.
We redesigned jwt.io, incorporating the new branding. The debugger is still the central piece. We added support for RS256 in addition to HS256.
In the libraries section, we improved the readability by color coding each library and using the proper logos for each. In addition to that, we added the number of stars from the GitHub repository.
Badges and Others
If your API supports JSON Web Tokens, feel free to add this badge
If there is some functionality on your site that uses and exposes JSON Web Tokens, you can use the following button to open the JWT on jwt.io.
The token is sent through the hash like this:
Finally, we designed some cool JWT t-shirts that you can order from swag.auth0.com.
Special thanks to Ty Wilkins for crafting the logo and lettering, Ricky Rauch and team for the awesome looking website, Alberto Pose who created the initial jwt.io version and curates the community contributions, Guillermo Rauch for his constant advice, Mike Jones for introducing me into the working group and all of you who contributed to jwt.io through GitHub.
JWT all the things!