"JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA." - https://jwt.io/introduction/
"A JSON web token, or JWT (“jot”) for short, is a standardized, optionally validated and/or encrypted container format that is used to securely transfer information between two parties." - A plain English introduction to JWT
- JWT is abstract. The concrete forms are signed (JWS) or encrypted (JWE)
- Unsigned have
"alg": "none"in the header, but are still JWS format.
- JWS has three sections: header.payload.signature
- JWE comes in two forms with either 5 or 6 sections
- Signatures can be created using a shared key (required for signing and validating) or using public/private key pair where the private key is used to sign, and only the public key is needed to validate. In either case, there is a piece of information that must be configured ahead of time for JWT to function, so it is not a self mechanism.