JSON Web Tokens

For more information on all the types of tokens used by Auth0, see Tokens.

JSON Web Token (JWT), pronounced "jot", is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

  • Compact: Because of its relatively small size, a JWT can be sent through a URL, through a POST parameter, or inside an HTTP header, and it is transmitted quickly.
  • Self-contained: A JWT contains all the required information about an entity to avoid querying a database more than once. The recipient of a JWT also does not need to call a server to validate the token.

The information contained within the JSON object can be verified and trusted because it is digitally signed. Although JWTs can also be encrypted to provide secrecy between parties, we will focus on signed tokens, which can verify the integrity of the claims contained within them, while encrypted tokens hide those claims from other parties.

JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.

For additional information about why to use JWT over other token formats, including Simple Web Tokens (SWT) and SAML tokens, see Why Use JSON Web Token.

Use of JWTs

JWT is a standard, which means that all JWTs are tokens, but not all tokens are JWTs. JWTs can be used in varying ways:

  • Authentication: When a user successfully logs in using their credentials, an ID Token is returned. According to the OpenID Connect (OIDC) specs, an ID Token is always a JWT.

  • Authorization: Once a user is successfully logged in, an application may request to access routes, services, or resources on behalf of that user. To do so, it uses an Access Token, which may be in the form of a JWT. Each subsequent request includes the access token. Single Sign-on (SSO) widely uses JWT because of the small overhead of the format, and its ability to easily be used across different domains.

  • Information Exchange: JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be sure that the senders are who they say they are. Additionally, the structure of a JWT allows you to verify that the content hasn't been tampered with.

However you use JWTs, be sure to follow best practices for tokens and make sure you verify the signature before storing and using a JWT. For more information on how to implement JWT, see Programmatically Parse and Validate JSON Web Tokens.

Read More