JWT, or JSON Web Token, is an open standard used to share security information between two parties — a client and a server. Each JWT contains encoded JSON objects, including a set of claims. JWTs are signed using a cryptographic algorithm to ensure that the claims cannot be altered after the token is issued. https://www.akana.com/blog/what-is-jwt
within the payload, the second part of the token.
The general opinion is that they’re good for being used as ID tokens or access tokens and that they’re secure — as the tokens are usually signed or even encrypted. You have to remember though, that JWT is not a protocol but merely a message format. The RFC just shows you how you can structure a given message and how you can add layers of security, that will protect the integrity and, optionally, the content of the message. JWTs are not secure just because they are JWTs, it’s the way in which they’re used that determines whether they are secure or not. https://curity.io/resources/learn/jwt-best-practices/#:~:text=The%20general%20opinion%20is%20that,but%20merely%20a%20message%20format.
It’s important to note that JWTs alone do not guarantee the security of the data they carry. They are primarily used for authentication and authorization purposes. It’s crucial to implement additional security measures, such as using secure communication protocols (e.g., HTTPS) and validating the claims within the payload, to ensure the overall security of your application.
The secret key and the signing algorithm
So we are starting with a secret and want to keep it that way. So we put the secret through a decoder ring that will jumble everything up in a very specific way, then the piece of paper gets all foded up into an origami fashion that makes it look like something else, then we lock up the origami and the decoder ring in a tiny box and send it by carrier pigeon (don’t worry the box is very small and not heavy at all). Then the secret flies above everyone’s head, straight to the intended audience (because carrier pigeons are very smart, just ask Joshua). When the box gets there the recipiant knows how to unfold the origami and knows to use the decoder ring to be able to read the message.
It is secure, fast, and compact.
I am tired so referenced chatGPT and it actually did a really good job:
Imagine you’re going on a trip and need to carry important information with you. You want something that is small, convenient, and contains everything you need without relying on external resources. That’s where a compact and self-contained passport-like document, such as a JWT, comes in handy. Compactness: Explain that a JWT is like a small, lightweight document. It doesn’t take up much space and is easy to carry around, just like a small booklet or card that can fit in your pocket. This compactness makes it efficient to transmit and handle. Self-contained: Describe the self-contained nature of a JWT by comparing it to a mini filing cabinet or a personal organizer. A JWT contains all the important information within itself, just like how a filing cabinet keeps all the necessary documents organized in one place. It carries all the essential details needed for authentication or authorization, such as user identification, permissions, or other relevant data. Independence: Emphasize that a JWT doesn’t rely on external resources or databases to validate or understand its content. It’s like having a portable identification card that doesn’t need to connect to a central database for verification. All the necessary information is securely packed within the JWT itself.
By using this analogy, you can convey to your non-technical friend that JWTs are like small, self-contained passports for authentication and authorization purposes. They are convenient, efficient, and contain all the necessary information needed, making them practical for various web-based applications.
The Bearers are comming!