JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe JSON object. JWTs are widely used for stateless authentication in modern web applications, APIs, and microservices—eliminating the need for server-side session storage. Each token is self-contained (carrying claims about the user), signed to ensure integrity, and optionally encrypted for confidentiality. The key mental model: a JWT is not a session—it's a portable proof of identity that any service with the right key can verify independently, making it ideal for distributed systems but requiring careful handling to prevent token theft, replay attacks, and algorithm confusion exploits.
What This Cheat Sheet Covers
This topic spans 18 focused tables and 120 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Token Structure & Encoding
| Component | Example | Description |
|---|---|---|
{"alg":"HS256", "typ":"JWT"} | • JSON object specifying token type and signing algorithm • Base64URL-encoded to form first segment | |
{"sub":"1234", "name":"Alice", "iat":1516239022} | • JSON object containing claims (statements about an entity) • Base64URL-encoded as second segment | |
HMACSHA256(base64(header) + "." + base64(payload), secret) | • Cryptographic signature ensuring integrity • computed from encoded header + payload + secret/key |