JWT or JSON Web Token is JSON base standard for credential access (RFC 7519). The token contains access claims. For example the authentication server can generate token with claim “edit article” and the user with this claim can access functionality in REST API to “edit article”.

What is JWT structure?

Typically JWT looks like:


JSON Web Token contains 3 elements: Header (xxxx), Payload (yyyy) and Signature (zzzz). Every part of token is Base64 encoded.



The header contains information about the token type and signature algorithm. Property “typ” contains the type and property “alg” contains the signature algorithm. In our example we use HMAC SHA-256 for signature.


The payload contains user “claims”. It can be user data or access options. You can add as many options as you want.


Signature is used to verify the token data. The algorithm to create signature is:

  1. Calculate Base64 URL encoded header and payload.
  2. Concatenate encoded header and payload with “.”
  3. Compute signature with your secret and the string from step 2
  4. Get Base64 URL encoded string from step 3

How does it work?

Example usage of JWT
Example usage of JWT

On the picture above you can see an example usage of JWT. The Sign-in step can be with username and password, windows authentication, external API like Facebook, Google or some other method of our choosing. The authentication server sends Authentication response / create JWT. In this step, the application/user receives either the token if it is created or a negative response. After that every time the application wants to make a call to the API it sends this token. If the application server
successfully validates the token, it processes the call.