Tutorial by Examples

Unsigned JWT

An unsigned JWT has the header value alg: none and an empty JWS (signature) component: eyJhbGciOiJub25lIn0 .eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . The trailing dot indicates that the signature is empty. Header { "alg": &q...

Signed JWT (JWS)

A signed JWT includes a Base64 Url Safe encoded signature as the third component. The algorithm used to generate the signature is indicated in the header. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 .eyJzdWIiOiJKb2huIERvZSIsImFkbWluIjp0cnVlLCJpYXQiOjE0NzAzNTM5OTQsImV4cCI6MTQ3MDM1NzYyNywianRpIjoiNmU0MDRiY...

JSON Web Encryption (JWE)

JSON Web Encryption (JWE) represents encrypted content using JavaScript Object Notation (JSON) based data structures. It defines a way to encrypt your claims data so that only intended receiver can read the information present in a token. In the JWE JSON Serialization, a JWE is represented as a JS...

How to tell if you have a JWS or JWE?

From Section 9 of JSON Web Encryption specification (RFC 7516): The JOSE Header for a JWS can be distinguished from the JOSE Header for a JWE by examining the "alg" (algorithm) Header Parameter value. If the value represents a digital signature or MAC algorithm, or is the value "no...

What to store in a JWT

The JWT RFC stablish three classes of claims: Registered claims like sub, iss, exp or nbf Public claims with public names or names registered by IANA which contain values that should be unique like email, address or phone_number. See full list Private claims to use in your own context...

Page 1 of 1

logo rip
SUPPORT & PARTNERS
STAY CONNECTED

Get monthly updates about new articles, cheatsheets, and tricks.