ORSYS le mag 2025 logo

The training and skills medium

Home > Cybersecurity glossary > JWT (JSON Web Token) 🟒 Protection

JWT (JSON Web Token) 🟒 Protection

A JWT (JSON Web Token) is an open standard defined by the RFC 7519 used in cyber security to authenticate and secure information exchanges between parties.

It enables data to be transmitted in a compact, secure and verifiable way, based on digital signatures or a encryption to guarantee the integrity and, where applicable, the confidentiality of the information.

 

Structure of a JWT

A JWT consists of three main parts, each encoded in Base64URL and separated by a dot (.) :

  1. Header

    • Function Define the signature algorithm (for example, HS256, RS256, ES256) and indicate the token type (generally "JWT").
    • Example : { "alg": "HS256", "typ": "JWT"}.

  2. Payload (payload)

    • Function The "claims" are useful information such as the user's identifier, roles and expiry date.
    • Types of claims :
      • Registered claims standardised claims such as iss (transmitter), exp (expiry), sub (subject) and aud (audience).
      • Public claims claims: claims that can be defined by the community or by the user for shared information.
      • Private claims information specific to a particular context or application.
    • Encryption option Although the payload is often simply signed (JWS), it can be encrypted for additional protection using the JWE (JSON Web Encryption) format.

  3. Signature

    • Function Signature: to ensure the integrity of the token. The signature is generated by combining the header and the payload (encoded beforehand) with a secret key or a private key (for asymmetric algorithms) according to the specified algorithm.
    • Example For HS256, the signature is obtained via HMAC-SHA256.

 

πŸ‘‰ Use cases in cybersecurity

 

  • Authentication Once the user has logged in, the server generates a JWT that the client includes in HTTP requests (for example, in the Authorization: Bearer). This allows the server to check the client's identity on each request without requiring server-side session storage.
  • Secure Information Exchange In a microservices architecture or when APIs interact, JWT enables data to be transmitted reliably and securely.
  • Single Sign-On (SSO) Session sharing: makes it easier to share sessions between several applications, by centralising authentication using a single token.

 

βœ” Benefits

 

  • Stateless no server-side storage (unlike sessions).
  • Laptop can be used in a variety of contexts (web, mobile, API).
  • Compact lightweight format, easy to transmit via URL, HTTP headers or cookies.
  • Flexible: they can be used in a variety of authentication protocols and frameworks, including OAuth2 and OpenID Connect

Risks and good practice

 

πŸ”Ί Common faults

  • Signature not verified Failure to check the signature correctly may allow an attacker to modify the content of the token.
  • Use of Weak Algorithms For example, using HS256 with a weak key exposes you to attacks by brute force.
  • Inadequate storage Storing the JWT in vulnerable locations (such as localStorage) can lead to attacks. XSS and token theft.
  • Token Hijacking In the event of interception, a stolen token can be used to impersonate the user.

 

🟩 Good practice

  • Using HTTPS encrypt all communications to prevent tokens from being intercepted.
  • Choosing robust algorithms The following steps should be taken: use secure algorithms (e.g. RSA or ECDSA) and sufficiently complex keys.
  • Limiting Service Life define short expiry dates (exp) to reduce the token's validity time in the event of compromise.
  • Systematically validate verify the signature and claims each time the token is used.
  • Revocation mechanisms : implement strategies to invalidate compromised or expired tokens.

Example of JWT

Here is a simplified example of a JWT, made up of three encoded parts:

  • Header : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
  • Payload : eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
  • Signature : SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

This example illustrates how the three parts are combined to form a complete token, guaranteeing the secure transmission of information.

Difference with other authentication technologies

 

  • JWT vs Session Cookies JWTs are self-supporting and do not require server-side storage, unlike session cookies, which rely on session management.
  • JWT vs OAuth2 OAuth2 is an authorisation framework that can use different token formats, including JWT, to transmit authentication information.
  • JWT vs SAML While SAML (Security Assertion Markup Language) is an XML standard for SSO in corporate environments, JWT offers a lighter format that is better suited to modern web applications.
Back to Glossary

field of training

ο€­

Cybersecurity

associated training



Systems and network security, level 1



Hacking and security, level 1



Information systems security, summary

BEST

Towards the ORSYS Cyber Academy: a free space dedicated to cybersecurity