Glossary / Authentication
JSON Web Token (JWT)
A JSON Web Token is a compact, URL-safe, digitally signed token that carries claims about a user or session, used widely to convey identity and authorization data between parties.
Also: JWT
A JSON Web Token is a small, self-contained token that holds a set of claims, such as who the user is and when the token expires, encoded as JSON and signed so the receiver can trust it has not been altered. Its three parts, a header, a payload, and a signature, are base64url encoded and joined with dots.
JWTs are the common format for the ID tokens issued by OpenID Connect and for many OAuth 2.0 access tokens. Because they are signed and can be verified without a database lookup, they are convenient for stateless sessions, but that same property means a leaked token is valid until it expires, so short lifetimes and careful handling matter.
In CIAM, JWTs are usually the tokens an application receives after login and presents to APIs to prove the user’s identity and permissions.
Sources
- IETF RFC 7519, JSON Web Token: https://datatracker.ietf.org/doc/html/rfc7519
Related terms
Standards
- IETF RFC 7519