About JWT Authentication
The JSON Web Token (JWT) is an open standard (IETF RFC 7519) data format that is compact, self-contained, and secure. It is intended for passing information where space is limited, such as HTTP headers and URI queries.
- Self-contained. The JWT can contain all the required information about the user and therefore avoids querying the database more than once.
- Secure. The JWT can be digitally signed with one of the following methods:
- HMAC algorithm, using a secret
- RSA algorithm, using a public/private key pair
- The user logs in with their username and password or other security credentials. The browser or the client app sends a POST request with the user credentials, which are sent over an HTTPS connection.
- The user's credentials are checked against the login database. If valid, the server creates and encrypts an access JWT, which is stored in the body of the response.
- When the user requests a page, the browser or client app stores the access JWT inside the
Authorizationsection of the request.
- The server verifies the JWT signature and extracts the user information from the JWT payload.
- The requested page or resource is sent to the client.