Brian Morrison IIJWTs are used a lot in authentication, but have you ever wondered how libraries extract information about the user from this massive blob of text?
Here is what a raw JWT looks like:
Oftentimes these are stored in a cookie or in the browser’s local storage to be sent with HTTP requests.
JWTs have three parts
JWTs are made up of three separate parts, each separated by a period.
The header contains info about the JWT and the encryption algorithm used to sign it. The payload (or claims) section contains encoded information such as who the JWT was created for, who created it, when it expires, etc. And the signature is a cryptographically signed version of the header and claims to prevent tampering.
Here is what that same JWT looks like, split on the periods:
Decoding the payload
While every part of the JWT is important, the data that gets returned from extraction and verification libraries comes from the payload.
The payload is simply a JSON object that’s been base64 encoded. Anything encoded with base64 can be decoded as well since it’s NOT encryption. Reversing the encoding returns the same data that was passed in!
🤗 If you are interested in more content like this and want to support me, consider joining my newsletter!
