Scribd
Upload
4 views

JSON

The document provides an overview of JSON Web Tokens (JWT), detailing their use for secure information transmission in web applications, including how to create, store, and verify them. It outlines the pros and cons of using JWTs, such as statelessness and security risks, and mentions alternatives like OAuth 2.0 and session-based authentication. Additionally, it emphasizes the importance of using a JWT_SECRET for signing and verifying tokens.

Uploaded by

amazonha99
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4 views

JSON

The document provides an overview of JSON Web Tokens (JWT), detailing their use for secure information transmission in web applications, including how to create, store, and verify them. It outlines the pros and cons of using JWTs, such as statelessness and security risks, and mentions alternatives like OAuth 2.0 and session-based authentication. Additionally, it emphasizes the importance of using a JWT_SECRET for signing and verifying tokens.

Uploaded by

amazonha99
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Gagan Saini Github: Gagan-Saini-GS

@gagan-saini-gs

Become Authorize Using


JSON WEB TOKEN
Created By
Gagan Saini 0
Gagan Saini Github: Gagan-Saini-GS
@gagan-saini-gs

JWT
JWT is a compact, URL-safe way to
represent claims between two parties JWT
is used for securely transmitting information
for authentication purposes in web apps.
A token can look like

Created By
Gagan Saini 1
Gagan Saini Github: Gagan-Saini-GS
@gagan-saini-gs

Create Token
First install jsonwebtoken
library to create jwt.

You can use any data in


payload to create your json
web tokens.
The signing algorithm (like
HMAC SHA-256) uses the
JWT_SECRET to generate a
hash, which becomes the
signature part of the token.

And this same JWT_SECRET is


used to verify tokens also.

Created By
Gagan Saini 2
Gagan Saini Github: Gagan-Saini-GS
@gagan-saini-gs

How to use JWT?


Client Side The JWT is stored on the client in local
storage, session storage, or cookies.

Request with JWT F or every subsequent request


to a rotecte route the client includes the JWT in the
p d ,
authorization hea er
d .

Server Side The server validates the token’s


signature and checks expiration. If valid, the user is
granted access.

Created By
Gagan Saini 3
Gagan Saini Github: Gagan-Saini-GS
@gagan-saini-gs

How to verify JWT?


When a client sends the JWT back to the server, the
server verifies it by using the same JWT_SECRET that
was used to sign it.

This ensures that the token is valid and hasn’t been


modified.
If the secret used during
verification matches the
one used to sign the
token, the server knows
the token is legitimate.

And allows user to


continue using services.

Created By
Gagan Saini 4
Gagan Saini Github: Gagan-Saini-GS
@gagan-saini-gs

Store JWT
Cookies is a safe choice for
storage because cookies can
be made HTTPOnly to prevent
access via JavaScript.
You can store JWT in local storage also
it is easier to implement but vulnerable
to XSS (Cross-Site Scripting) attacks.

Created By
Gagan Saini 5
Gagan Saini Github: Gagan-Saini-GS
@gagan-saini-gs

Pros
Stateless No need to store
sessions on the server.

Scalable Easily scalable across


distributed systems.

Portable Works across different


platforms and services.

Created By
Gagan Saini 6
Gagan Saini Github: Gagan-Saini-GS
@gagan-saini-gs

Cons
Security Risks JWTs are vulnerable to
XSS if stored in local Storage or session
storage.

Token Size Larger payloads increase


the size of the token.
No Revocation Once a JWT is issued,
it can’t be revoked unless handled via
expiration or blacklist mechanisms.

Created By
Gagan Saini 7
Gagan Saini Github: Gagan-Saini-GS
@gagan-saini-gs

Alternatives
OAuth 2.0

Widely used for authorization,


allowing third-party services to access
resources without exposing credentials.

Session-based Authentication

Traditional method where user


session info is stored on the server, but
it’s harder to scale.

Created By
Gagan Saini 8

You might also like