jwt
"JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA." - https://jwt.io/introduction/
"A JSON web token, or JWT (“jot”) for short, is a standardized, optionally validated and/or encrypted container format that is used to securely transfer information between two parties." - A plain English introduction to JWT
Tidbits
- JWT is abstract. The concrete forms are signed (JWS) or encrypted (JWE)
- Unsigned have
"alg": "none"in the header, but are still JWS format. - JWS has three sections: header.payload.signature
- JWE comes in two forms with either 5 or 6 sections
- Signatures can be created using a shared key (required for signing and validating) or using public/private key pair where the private key is used to sign, and only the public key is needed to validate. In either case, there is a piece of information that must be configured ahead of time for JWT to function, so it is not a self mechanism.
Links
- https://jwt.io
- https://medium.com/ag-grid/a-plain-english-introduction-to-json-web-tokens-jwt-what-it-is-and-what-it-isnt-8076ca679843
- https://docs.mongodb.com/realm/authentication/custom-jwt
- https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/
- https://tools.ietf.org/html/rfc7519
- https://medium.com/dataseries/public-claims-and-how-to-validate-a-jwt-1d6c81823826
- https://auth0.com/docs/tokens/json-web-tokens