JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe JSON object. JWTs are widely used for stateless authentication in modern web applications, APIs, and microservices—eliminating the need for server-side session storage. Each token is self-contained (carrying claims about the user), signed to ensure integrity, and optionally encrypted for confidentiality. The key mental model: a JWT is not a session—it's a portable proof of identity that any service with the right key can verify independently, making it ideal for distributed systems but requiring careful handling to prevent token theft, replay attacks, and algorithm confusion exploits.
What This Cheat Sheet Covers
This topic spans 18 focused tables and 120 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Token Structure & Encoding
Every JWT is three Base64URL segments glued together by dots — header, payload, signature — and that anatomy is the foundation for everything else here. The header declares how the token is signed, the payload carries the claims, and the signature locks both against tampering. Crucially, Base64URL is encoding, not encryption, so anyone holding the token can read the first two parts.
| Component | Example | Description |
|---|---|---|
{"alg":"HS256", "typ":"JWT"} | • JSON object specifying token type and signing algorithm • Base64URL-encoded to form first segment | |
{"sub":"1234", "name":"Alice", "iat":1516239022} | • JSON object containing claims (statements about an entity) • Base64URL-encoded as second segment | |
HMACSHA256(base64(header) + "." + base64(payload), secret) | • Cryptographic signature ensuring integrity • computed from encoded header + payload + secret/key |