Explaining JSON Web Token (JWT) with Simple Terms

By /

Listen to this Post

Featured Image
JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims between two parties. They consist of three parts:

  1. Header – Specifies the token type (JWT) and the signing algorithm (e.g., HMAC SHA256 or RSA).
  2. Payload – Contains claims (user data, permissions, expiration time).
  3. Signature – Ensures the token hasn’t been altered.

Example JWT Structure:

Header: 
{ 
"alg": "HS256", 
"typ": "JWT" 
}

Payload: 
{ 
"sub": "1234567890", 
"name": "John Doe", 
"iat": 1516239022 
}

Signature: 
HMACSHA256( 
base64UrlEncode(header) + "." + 
base64UrlEncode(payload), 
secret_key 
)

You Should Know:

1. Generating a JWT (Linux/Node.js Example)

Install `jsonwebtoken` in Node.js:

npm install jsonwebtoken

Generate a JWT:

const jwt = require('jsonwebtoken'); 
const token = jwt.sign({ user: 'admin' }, 'your_secret_key', { expiresIn: '1h' }); 
console.log(token);

2. Verifying a JWT

jwt.verify(token, 'your_secret_key', (err, decoded) => { 
if (err) console.log("Invalid Token"); 
else console.log(decoded); 
});

3. Decoding a JWT (Linux Command Line)

echo "your.jwt.token" | cut -d '.' -f 2 | base64 -d | jq

4. Common JWT Attacks & Mitigations

  • None Algorithm Bypass: Ensure `”alg”` is explicitly checked.
  • Secret Key Brute Forcing: Use strong keys (openssl rand -hex 32).
  • Token Expiry Check: Always validate `exp` claim.

5. Using JWTs in APIs (cURL Example)

curl -H "Authorization: Bearer your.jwt.token" https://api.example.com/data

6. Revoking JWTs (Stateless Blacklist)

Store invalidated tokens in Redis:

redis-cli SET "blacklisted_token" "1" EX 3600

7. JWT in Python (PyJWT)

pip install pyjwt

import jwt 
encoded = jwt.encode({"user": "admin"}, "secret", algorithm="HS256") 
decoded = jwt.decode(encoded, "secret", algorithms=["HS256"])

What Undercode Say:

JWTs are powerful but require careful implementation. Misconfigurations (weak keys, missing validation) can lead to security breaches. Use HTTPS, enforce short-lived tokens, and avoid storing sensitive data in payloads. For high-security systems, consider OAuth 2.0 with PKCE or mutual TLS (mTLS).

Prediction:

JWTs will remain dominant in stateless auth, but WebAuthn (passwordless FIDO2) and PASETO (secure token alternative) may gain traction.

Expected Output:

A secure, well-structured JWT system with proper validation, short expiry, and encrypted storage.

Relevant URL: JWT.io (Debugger & Docs)

References:

Reported By: Alexxubyte Systemdesign – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: