How ‘json web tokens’ work

Json Web Tokens (JWT) are a means to send json objects between 2 parties. They can be secured with keys, so the receiver can verify the source.

It consists of a concatenation of 3 json-strings that are encoded according to an algorithm.

First part

The first json (up to the first point) is a header with info, such as the algorithm used.

Second part

The second part is the actual data (payload) that is encoded with the algorithm from the header.

Registered claims

The payload may contain registered claims. The claims are only 3 characters long. This was done to keep the data as small as possible.


  • iss = the issuer (=the sender)
  • exp = expiration time (seconds), how long the token remains valid
  • aud = audience
  • iat = the timestamp of when the token was created
  • jti = unique identifier of the token
  • sid = session id

Third part

The third part is a mechanism to check whether the data was sent by the correct party (verify signature).

It contains a key that is known by the sender and receiver.

This is important, because if someone else would send a token, or change it, but he does not know the key, then that third-party json will not be correct, and so the recipient can know that fraud has occurred.

However, the third part does not protect the data from being decoded. Even without the third part, the data can be decoded.


  • At the left side you see the json-web token.
  • At the right side you see the decoded 3 parts.
  • Without the 3rd part (the signature) you can also decode the message, you just can’t verify if it was altered by a malicious party.


To try it out by yourself, check the official website of JSON web tokens.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.