Skip to content


"JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA." -

"A JSON web token, or JWT (“jot”) for short, is a standardized, optionally validated and/or encrypted container format that is used to securely transfer information between two parties." - A plain English introduction to JWT


  • JWT is abstract. The concrete forms are signed (JWS) or encrypted (JWE)
  • Unsigned have "alg": "none" in the header, but are still JWS format.
  • JWS has three sections: header.payload.signature
  • JWE comes in two forms with either 5 or 6 sections
  • Signatures can be created using a shared key (required for signing and validating) or using public/private key pair where the private key is used to sign, and only the public key is needed to validate. In either case, there is a piece of information that must be configured ahead of time for JWT to function, so it is not a self mechanism.