![\"Illustration](\"/dd1314dc0f7dba888ea4df48ac00ccbe/token-authentication-method.webp\")
Have you ever logged into a website by clicking “Login with Google” or “Sign in with Facebook,” without entering your password? Or used a web app that keeps you logged in even after closing your browser?
\nThese seamless experiences often rely on JSON Web Tokens (JWTs) — a way to authorize users after they have been authenticated.
\nIn today’s digital landscape, securing user identity and managing access is critical. JWT is a compact and secure method for transmitting claims between parties, typically used after authentication to handle authorization, session management, and secure API access.
\nBut what exactly is a JWT, how does it work, and why is it important? This blog offers a comprehensive explanation.
\nTokens are digital artifacts used in authentication systems to represent user identity. Instead of maintaining session state on the server, modern applications issue tokens to clients. These tokens are sent along with each request to authorize access to protected resources.
\nWhen a user makes an authenticated request, the token is included in the request header. The server verifies the token’s validity—typically by checking its signature and expiration time. If the token is valid, access is granted. This approach supports stateless and scalable systems, compared to traditional session-based models.
\n
A JWT (JSON Web Token) is a compact, self-contained token used to securely transmit claims between parties. JWTs are digitally signed using a secret (with HMAC) or a public/private key pair (with RSA or ECDSA).
\nOne of the main advantages of JWT authentication is that it doesn't require storing session data on the server—making it ideal for distributed applications.
\nThere are two main types of JWT based on how the payload is protected- JWS and JWE. Let’s learn more about them.
\nJWS is a type of JWT where the payload (data) is digitally signed, ensuring integrity and authenticity of the token.
\nUse Case: Verifying that the data has not been tampered with.
\nJWE is a type of JWT where the payload is encrypted, ensuring confidentiality in addition to integrity.
\nUse Case: Protecting personal or confidential information during transit.
\n| Feature\n | \nJWT (General)\n | \nJWS (Signed JWT)\n | \nJWE (Encrypted JWT)\n | \n
| Security Focus\n | \nToken Format\n | \nIntegrity, authenticity\n | \nConfidentiality + integrity\n | \n
| Payload\n | \nNot specified\n | \nBase64URL encoded (readable)\n | \nEncrypted (not readable)\n | \n
| Signature\n | \nOptional\n | \nRequired\n | \nEncrypted along with payload\n | \n
| Encryption\n | \nOptional\n | \nNot encrypted\n | \nFully encrypted\n | \n
| Use Case\n | \nID and Access Tokens\n | \nOAuth 2.0, OpenID Connect\n | \nHighly sensitive information\n | \n
Note: JWT is the umbrella format. JWS and JWE are implementation types. The most commonly used JWTs in web apps are of the JWS type.
\nA JWT is composed of three parts:
\nEach part is Base64URL encoded and separated by a period (.).
\nExample:
\n<Header>.<Payload>.<Signature>
\nThe header typically includes the token type and the signing algorithm being used.
\n{
\n\"alg\": \"HS256\",
\n\"typ\": \"JWT\"
\n}
\nThe payload contains the claims—statements about an entity (usually the user) and additional metadata.
\n{
\n\"iss\": \"https://lrSiteName.hub.loginradius.com/\",
\n\"sub\": \"{uid}\",
\n\"jti\": \"unique string\",
\n\"iat\": 1573849217,
\n\"nbf\": 1573849217,
\n\"exp\": 1573849817,
\n\"Key1\": \"value1\",
\n\"Key2\": \"value2\"
\n}
\nNote: The payload is not encrypted by default, and can be decoded by anyone. Do not include sensitive information unless using an encrypted JWT (JWE).
\nThe signature ensures the token has not been altered. It is created by signing the encoded header and payload using a secret or private key.
\nHMACSHA256(
\nbase64UrlEncode(header) + \".\" +
\nbase64UrlEncode(payload),
\nsecret)
\nThis helps validate the token’s integrity and authenticity.
\nJWT-based authentication typically follows this flow:
\nThe user provides login credentials (e.g., username and password).
\nThe server validates the credentials against its data store.
\nUpon successful login, the server issues a JWT signed with a secret/private key (post authentication).
\nThe client stores the token (e.g., in localStorage, sessionStorage, or a secure cookie).
\nThe client attaches the token to the Authorization header (Bearer <token>) in future authorization/authentication API requests.
\nThe server checks the token's signature, expiry, and validity.
\nIf valid, the user is granted access to protected resources.
\nThis stateless model makes JWT ideal for scalable web and mobile apps.
\nOAuth 2.0 is an industry-standard protocol for authorization. It enables users to grant third-party apps access to their resources without sharing their credentials.
\nWhen integrated with JWT, OAuth 2.0 uses JWTs as access tokens to represent the user's authorization.
\nJWTs are commonly used as OAuth 2.0 access tokens—but not required by the specification. Some providers use opaque tokens instead.
\n![\"Illustration](\"/dce2d7af3a212b2cf75c6b810d4444e2/api-economy.webp\")
To implement JWT with LoginRadius:
\nSet up a JWT app in your LoginRadius Admin Console. Follow the JWT Admin Console Configuration guide.
\n![\"Illustration](\"/a3ccb47d5a3d66fc01c0eeac6c26328b/jwt-configuration.webp\")
If you are directly implementing your Login forms or already have an access token or want to generate a JWT based on email/username/Phone number or a password, you can leverage the following APIs:
\nAPI Response Example:
\n{
\n\"signature\": \"<JWTresponse>\"
\n}
\nThese tokens can then be used in your client app for authenticated requests.
\nTo implement JWT securely, follow these key practices:
\nPrivate keys or secrets used to sign JWTs must be stored securely.
\nPayload is only base64 encoded—not encrypted. Do not include passwords, PII, or credentials unless using encrypted JWT (JWE).
\nInclude only essential claims in the token to reduce size and exposure.
\nAlways transmit JWTs over HTTPS to prevent man-in-the-middle attacks.
\nUse short exp durations and implement refresh tokens to reduce impact if a token is compromised.
\nUse jti with a blacklist or maintain a revocation strategy for enhanced control.
\nJWTs offer numerous benefits in authentication systems:
\nJWTs are widely adopted in OAuth 2.0, OpenID Connect, and API security implementations.
\nJWT authentication is a robust, efficient, and secure method for protecting web and mobile applications. By understanding its structure, use cases, and best practices, you can confidently implement JWTs in modern authentication systems.
\nLooking to implement JWT in your application? Check out the developer documentation to get started with seamless JWT integration using LoginRadius.
\nA: By default, the expiry time of a JWT is 600 seconds (10 Minutes). It is shown in the form of seconds in the JWT configuration. The expiry time can be set from 1 second to 2592000 seconds (30 days) as per your use case.
\nA: OAuth is an authorization framework, that allows third-party apps to access user data without exposing their credentials.JWT is used at the end of authentication to securely transmit user info (identity and authorization). Use OAuth for delegated access; use JWT for stateless authentication and API authorization (verifying within your own system).
\nA: JWTs mainly come in two types, with one being JSON Web Signature (JWS) and JSON Web Encryption (JWE). In JWS, the token’s content is digitally signed to protect it from tampering during transmission between sender and receiver. While the data is secure from modification, its contents (claims) can still be visible to others.
\n","headings":[{"value":"Introduction","depth":2},{"value":"What are Tokens and Why Are They Needed?","depth":2},{"value":"What is JWT (JSON Web Token)?","depth":2},{"value":"Types of JWT","depth":2},{"value":"JWS (JSON Web Signature)","depth":3},{"value":"JWE (JSON Web Encryption)?","depth":3},{"value":"JWT vs JWS vs JWE – Comparison Table","depth":2},{"value":"Structure of JWT","depth":2},{"value":"1. Header","depth":3},{"value":"2. Payload","depth":3},{"value":"Standard JWT Claims","depth":4},{"value":"3. Signature","depth":3},{"value":"How Does JWT Work?","depth":2},{"value":"How to Use OAuth 2.0 with JWT","depth":2},{"value":"Why JWTs in OAuth 2.0?","depth":3},{"value":"Implementation of JWT using LoginRadius APIs","depth":2},{"value":"Step 1: Configure a JWT App","depth":3},{"value":"Step 2: Use APIs to Retrieve JWT","depth":3},{"value":"Best Practices for Secure JWT Authentication","depth":2},{"value":"Why Are JWTs Important for Authentication and Security?","depth":2},{"value":"Conclusion","depth":2},{"value":"FAQ’s","depth":2},{"value":"1. What is the expiration time of JWT, and what is the measurement of time in JWT?","depth":3},{"value":"2. What is the difference between OAuth and JWT?","depth":3},{"value":"3. How many types of JWT are there?","depth":3}],"fields":{"slug":"/engineering/guide-to-jwt/"},"frontmatter":{"metatitle":"Complete Guide to JWT and How It Works","metadescription":"Learn how JWT (JSON Web Token) works, its structure, and best practices for secure authentication and stateless session management.","description":"Understand JSON Web Tokens (JWT), their compact and secure structure, and their critical role in authentication and authorization. Learn how JWT enables stateless sessions, improves scalability, and secures APIs. This guide explores JWT's working principles and best practices for robust security implementation.","title":"Complete Guide to JSON Web Token (JWT) and How It Works","canonical":null,"date":"April 07, 2025","updated_date":null,"tags":["Oauth","Authorization Code Flow","Authorization","Authentication"],"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.6528925619834711,"src":"/static/91ea5ae9cba0662d9830e037814a0409/2ad7f/guide-to-jwt.webp","srcSet":"/static/91ea5ae9cba0662d9830e037814a0409/1c9b5/guide-to-jwt.webp 200w,\n/static/91ea5ae9cba0662d9830e037814a0409/f1752/guide-to-jwt.webp 400w,\n/static/91ea5ae9cba0662d9830e037814a0409/2ad7f/guide-to-jwt.webp 800w,\n/static/91ea5ae9cba0662d9830e037814a0409/e7405/guide-to-jwt.webp 1200w,\n/static/91ea5ae9cba0662d9830e037814a0409/d3cba/guide-to-jwt.webp 1600w,\n/static/91ea5ae9cba0662d9830e037814a0409/9f7b4/guide-to-jwt.webp 5115w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Kundan Singh","github":null,"bio":"Director of Product Development @ LoginRadius.","avatar":null}}}},"pageContext":{"id":"0d5ca0dd-a4a1-505b-81bd-072fe40a7d7f","fields__slug":"/engineering/guide-to-jwt/","__params":{"fields__slug":"engineering"}}},"staticQueryHashes":["1171199041","1384082988","1711371485","1753898100","2100481360","229320306","23180105","528864852"]}