JWT(JSON Web Token) is a very lightweight specification. This specification allows us to use JWT to transmit safe and reliable information between users and servers.

JWT is actually a string, which consists of three parts, header, payload and signature.

Let's first describe the operation of user authentication as a JSON object. Some other information has been added to help the server receiving this JWT understand this JWT in the future.

The first six fields are defined by the JWT standard.

These definitions can be found in the standard.

Base64 encoding the JSON object above can get the following string:

This string is called the payload of JWT.

If you use Node.js, you can use the package base64url of Node.js to get this string:

Note: Base64 is a kind of coding, which means that it can be translated back to its original appearance. This is not an encryption process.

Title (title)

JWT also needs a header to describe the most basic information about JWT, such as its type and the algorithm used for signature. This can also be expressed as a JSON object:

Let me explain here that this is a JWT, and the signature algorithm we use (mentioned later) is HS256 algorithm.

It also needs Base64 encoding, and the string after it becomes the header of JWT:

Connect the above two coded strings with a period (with the head in front) to form:

Finally, we use HS256 algorithm to encrypt the spliced string. When encrypting, we also need to provide a secret:

So we can get our encrypted content:

This part is also called signature.

Finally, this part of the signature is also spliced after the signed string, and we get the complete JWT: