JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way to securely transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
JWT consists of three parts, separated by dots (.): Header, Payload, and Signature. The Header specifies the signature algorithm, the Payload contains the claims, and the Signature is used to verify that the message wasn't altered.
Authentication (most common scenario), information exchange (JWTs can securely transmit information as they are signed), authorization (contains user permission information), and single sign-on implementation.
Types of signature algorithms
JWT supports various signature algorithms, mainly divided into two categories: HMAC-based symmetric algorithms (such as HS256) and RSA/ECDSA-based asymmetric algorithms (such as RS256, ES256). Symmetric algorithms use the same key for signing and verification, while asymmetric algorithms use a private key for signing and a public key for verification.
Do not store sensitive information (such as passwords) in JWT, as the Payload part is only Base64 encoded, not encrypted. For applications requiring high security, it is recommended to use a short expiration time and implement a token rotation strategy.
What to do when JWT expires?
When a JWT expires, the server will reject the token. The recommended approach is to implement a refresh token mechanism, where the client uses a refresh token to obtain a new access token without requiring the user to log in again. Refresh tokens usually have a longer validity period but should be stored carefully.
Strictly speaking, JWTs are designed as stateless tokens and cannot be truly revoked. However, there are several common solutions: maintaining a blacklist of revoked tokens (which may negate the stateless advantage of JWTs), using short expiration times with refresh tokens, or embedding a version identifier in the token, allowing the server to reject older versions.
Difference between JWT and session?
JWT is a self-contained token that contains all necessary information, suitable for distributed systems and does not require server-side session state. Session is based on server-side storage, requires maintaining session state, and is more suitable for single-server architectures. JWT is more scalable but complex to revoke; Session is easy to revoke but less scalable.