Introduction
JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims between two parties. They are commonly used for authentication and secure data exchange in web applications.
Why Use JWT?
- Stateless Authentication: Eliminates the need for session storage.
- Compact & Efficient: Encoded as a small JSON string.
- Secure: Supports encryption and signature verification.
- Cross-Platform Compatibility: Works with multiple programming languages.
JWT Structure
A JWT consists of three parts:
- Header: Contains metadata (algorithm & token type).
- Payload: Holds claims (user data, expiration, etc.).
- Signature: Ensures integrity and authenticity.
Example JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTYxNjIzOTAyMn0.5tXshX1c2P-8i6a1D9GQVb85y5CXYc0RUc3L8T6dX1E
How JWT Works
- User Logs In: Credentials are sent to the server.
- Token Generation: Server creates a JWT and sends it back.
- Client Stores Token: JWT is stored in localStorage or HTTP cookies.
- Authenticated Requests: Token is sent with API requests.
- Token Validation: Server verifies the token and grants access.
Implementing JWT in Node.js
Installing Dependencies
npm install jsonwebtoken express
Generating a JWT
const jwt = require('jsonwebtoken');
const secretKey = 'your-secret-key';
const token = jwt.sign({ userId: 1, name: 'John Doe' }, secretKey, { expiresIn: '1h' });
console.log(token);
Verifying a JWT
jwt.verify(token, secretKey, (err, decoded) => {
if (err) {
console.log('Invalid Token');
} else {
console.log('Decoded Data:', decoded);
}
});
Best Practices
- Use HTTPS to prevent token interception.
- Store tokens securely (e.g., HTTP-only cookies instead of localStorage).
- Set expiration times to enhance security.
- Implement refresh tokens for seamless re-authentication.
Conclusion
JWT provides a secure and scalable authentication mechanism for web applications. By following best practices, developers can ensure data integrity and user security.
