====== JWT ======
JWT is primarily used for:
* Authentication
* Authorization
JWT normally uses:
Digital Signatures
NOT encryption.
-----
====== What Is JWT? ======
JWT stands for:
JSON Web Token
Structure:
Header.Payload.Signature
Example:
xxxxx.yyyyy.zzzzz
-----
===== JWT Header =====
Contains metadata.
Example:
{
"alg": "HS256",
"typ": "JWT"
}
Meaning:
* JWT token
* Uses HS256 algorithm
-----
===== JWT Payload =====
Contains claims.
Example:
{
"userId": 123,
"role": "admin"
}
Common claims:
* sub
* exp
* iss
* aud
* iat
-----
===== JWT Signature =====
Protects token integrity.
Conceptually:
Header + Payload
↓
Sign
↓
Signature
Purpose:
* Detect modification
* Verify issuer
-----
====== JWT Authentication Flow ======
===== Step 1 =====
User logs in.
Email + Password
-----
===== Step 2 =====
Server validates credentials.
-----
===== Step 3 =====
Server creates JWT.
Header
Payload
Signature
-----
===== Step 4 =====
Server returns token.
{
"token": "eyJhbGciOi..."
}
-----
===== Step 5 =====
Client stores token.
Possible locations:
* Cookie
* Local Storage
* Memory
-----
===== Step 6 =====
Client calls protected API.
Authorization: Bearer
-----
===== Step 7 =====
Server verifies token signature.
If valid:
Access Granted
If invalid:
401 Unauthorized
-----
====== JWT Using HS256 ======
===== Algorithm Type =====
HS256
Uses:
ONE SECRET KEY
-----
===== Architecture =====
Secret Key
|
+--> Sign JWT
|
+--> Verify JWT
-----
===== Example =====
JWT_SECRET=abc123
Signing:
Sign(token, abc123)
Verification:
Verify(token, abc123)
-----
===== Advantages =====
* Simple
* Fast
* Easy setup
-----
===== Disadvantages =====
All services need the same secret key.
If the secret leaks:
Anyone can generate valid JWTs.
-----
====== JWT Using RS256 ======
===== Algorithm Type =====
RS256
Uses:
PUBLIC KEY + PRIVATE KEY
-----
===== Architecture =====
Private Key → Sign JWT
Public Key → Verify JWT
-----
===== Example =====
JWT_PRIVATE_KEY=/keys/private.pem
JWT_PUBLIC_KEY=/keys/public.pem
-----
===== Signing =====
Sign(token, Private Key)
Only owner can sign.
-----
===== Verification =====
Verify(token, Public Key)
Anyone with public key can verify.
-----
===== Advantages =====
* Better for microservices
* Private key remains isolated
* Public key can be distributed safely
-----
===== Disadvantages =====
* More complex
* Slightly slower
-----
====== HS256 vs RS256 ======
^ Feature ^ HS256 ^ RS256 ^
| Keys | 1 | 2 |
| Type | Symmetric | Asymmetric |
| Sign | Secret Key | Private Key |
| Verify | Secret Key | Public Key |
| Complexity | Low | Medium |
| Performance | Fast | Slightly Slower |
| Enterprise Usage | Medium | High |
-----
====== Laravel JWT Configuration ======
===== HS256 Example =====
JWT_SECRET=my-secret-key
or
JWT_KEY=my-secret-key
This usually means:
HS256
Uses:
1 Secret Key
-----
===== RS256 Example =====
JWT_PRIVATE_KEY=/keys/private.pem
JWT_PUBLIC_KEY=/keys/public.pem
This usually means:
RS256
Uses:
2 Keys
-----
====== Important JWT Fact ======
JWT is usually:
SIGNED
JWT is usually NOT:
ENCRYPTED
Anyone can decode payload contents.
Example:
{
"userId": 123,
"role": "admin"
}
Therefore do NOT store:
* Passwords
* API Secrets
* Credit Card Numbers
* Sensitive Personal Information
inside JWT payloads.
-----
====== Summary ======
Cryptography
│
├── Encryption
│ │
│ ├── Symmetric (1 Key)
│ │ └── AES
│ │
│ └── Asymmetric (2 Keys)
│ └── RSA Encryption
│
└── Digital Signatures
│
├── Symmetric Signature
│ └── HS256 JWT
│
└── Asymmetric Signature
└── RS256 JWT
Memory Trick:
Encryption
= Hide Data
Signature
= Verify Data
HS256
= 1 Secret Key
RS256
= Private Key + Public Key
JWT
= Usually Signed
= Usually Not Encrypted