Listen to this Post
JWT or JSON Web Tokens is an open standard for securely transmitting information between two parties. They are widely used for authentication and authorization.
A JWT consists of three main components:
1 – Header
Every JWT carries a header specifying the algorithms for signing the JWT. Itβs written in JSON format.
2 – Payload
The payload consists of the claims and the user data. There are different types of claims such as registered, public, and private claims.
3 – Signature
The signature is what makes the JWT secure. It is created by taking the encoded header, encoded payload, secret key, and the algorithm and signing it.
JWTs can be signed in two different ways:
1 – Symmetric Signatures
It uses a single secret key for both signing the token and verifying it. The same key must be shared between the server that signs the JWT and the system that verifies it.
2 – Asymmetric Signatures
In this case, a private key is used to sign the token, and a public key to verify it. The private key is kept secure on the server, while the public key can be distributed to anyone who needs to verify the token.
You Should Know:
Generating a JWT (Linux/Python)
Install PyJWT
pip install pyjwt
Generate a JWT with HS256 (Symmetric)
python3 -c "import jwt; print(jwt.encode({'user': 'admin'}, 'secret_key', algorithm='HS256'))"
Generate a JWT with RS256 (Asymmetric)
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem
python3 -c "import jwt; print(jwt.encode({'user': 'admin'}, open('private.pem').read(), algorithm='RS256'))"
Decoding & Verifying JWT
Decode JWT without verification (Linux)
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.9ZQ2X-5X6y7z8w9a0b1c2d3e4f5g6h7i8j9k0l1m" | base64 --decode
Verify JWT with PyJWT
python3 -c "import jwt; print(jwt.decode('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.9ZQ2X-5X6y7z8w9a0b1c2d3e4f5g6h7i8j9k0l1m', 'secret_key', algorithms=['HS256']))"
JWT Security Best Practices
- Short Expiry Time: Set `exp` claim to limit token validity.
- Use HTTPS: Prevent token interception.
- Avoid Sensitive Data: JWTs are base64-encoded, not encrypted.
- Key Rotation: Regularly update signing keys.
Blacklisting Tokens (Redis Example)
Add token to Redis blacklist redis-cli SET "blacklist:eyJhbGciOi..." "1" EX 3600 Check if token is blacklisted redis-cli GET "blacklist:eyJhbGciOi..."
What Undercode Say
JWTs are powerful but require careful implementation. Always:
- Use strong keys (
openssl rand -hex 32for HS256). - Prefer RS256 over HS256 for distributed systems.
- Monitor token leaks (GitHub, logs).
- Implement token revocation if needed.
Expected Output:
{
"header": {
"alg": "HS256",
"typ": "JWT"
},
"payload": {
"user": "admin",
"exp": 1735689600
},
"signature": "9ZQ2X-5X6y7z8w9a0b1c2d3e4f5g6h7i8j9k0l1m"
}
Prediction
JWTs will remain a dominant authentication method, but quantum-resistant algorithms (e.g., EdDSA) may replace RSA/ECDSA in the next decade.
URLs:
References:
Reported By: Alexxubyte Systemdesign – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass β
