JWT

JWT is primarily used for:

Authentication
Authorization

JWT normally uses:

Digital Signatures

NOT encryption.

What Is JWT?

JWT stands for:

JSON Web Token

Structure:

Header.Payload.Signature

Example:

xxxxx.yyyyy.zzzzz

JWT Header

Contains metadata.

Example:

{
  "alg": "HS256",
  "typ": "JWT"
}

Meaning:

JWT token
Uses HS256 algorithm

JWT Payload

Contains claims.

Example:

{
  "userId": 123,
  "role": "admin"
}

Common claims:

JWT Signature

Protects token integrity.

Conceptually:

Header + Payload
       ↓
      Sign
       ↓
   Signature

Purpose:

Detect modification
Verify issuer

JWT Authentication Flow

Step 1

User logs in.

Email + Password

Step 2

Server validates credentials.

Step 3

Server creates JWT.

Header
Payload
Signature

Step 4

Server returns token.

{
  "token": "eyJhbGciOi..."
}

Step 5

Client stores token.

Possible locations:

Cookie
Local Storage
Memory

Step 6

Client calls protected API.

Authorization: Bearer <token>

Step 7

Server verifies token signature.

If valid:

Access Granted

If invalid:

401 Unauthorized

JWT Using HS256

Algorithm Type

HS256

Uses:

ONE SECRET KEY

Architecture

Secret Key
    |
    +--> Sign JWT
    |
    +--> Verify JWT

Example

JWT_SECRET=abc123

Signing:

Sign(token, abc123)

Verification:

Verify(token, abc123)

Advantages

Simple
Fast
Easy setup

Disadvantages

All services need the same secret key.

If the secret leaks:

Anyone can generate valid JWTs.

JWT Using RS256

Algorithm Type

RS256

Uses:

PUBLIC KEY + PRIVATE KEY

Architecture

Private Key → Sign JWT

Public Key  → Verify JWT

Example

JWT_PRIVATE_KEY=/keys/private.pem

JWT_PUBLIC_KEY=/keys/public.pem

Signing

Sign(token, Private Key)

Only owner can sign.

Verification

Verify(token, Public Key)

Anyone with public key can verify.

Advantages

Better for microservices
Private key remains isolated
Public key can be distributed safely

Disadvantages

More complex
Slightly slower

HS256 vs RS256

Feature	HS256	RS256
Keys	1	2
Type	Symmetric	Asymmetric
Sign	Secret Key	Private Key
Verify	Secret Key	Public Key
Complexity	Low	Medium
Performance	Fast	Slightly Slower
Enterprise Usage	Medium	High

Laravel JWT Configuration

HS256 Example

JWT_SECRET=my-secret-key

JWT_KEY=my-secret-key

This usually means:

HS256

Uses:

1 Secret Key

RS256 Example

JWT_PRIVATE_KEY=/keys/private.pem

JWT_PUBLIC_KEY=/keys/public.pem

This usually means:

RS256

Uses:

2 Keys

Important JWT Fact

JWT is usually:

SIGNED

JWT is usually NOT:

ENCRYPTED

Anyone can decode payload contents.

Example:

{
  "userId": 123,
  "role": "admin"
}

Therefore do NOT store:

Passwords
API Secrets
Credit Card Numbers
Sensitive Personal Information

inside JWT payloads.

Summary

Cryptography
│
├── Encryption
│   │
│   ├── Symmetric (1 Key)
│   │   └── AES
│   │
│   └── Asymmetric (2 Keys)
│       └── RSA Encryption
│
└── Digital Signatures
    │
    ├── Symmetric Signature
    │   └── HS256 JWT
    │
    └── Asymmetric Signature
        └── RS256 JWT

Memory Trick:

Encryption
= Hide Data

Signature
= Verify Data

HS256
= 1 Secret Key

RS256
= Private Key + Public Key

JWT
= Usually Signed
= Usually Not Encrypted

Table of Contents

JWT

What Is JWT?

JWT Header

JWT Payload

JWT Signature

JWT Authentication Flow

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

JWT Using HS256

Algorithm Type

Architecture

Example

Advantages

Disadvantages

JWT Using RS256

Algorithm Type

Architecture

Example

Signing

Verification

Advantages

Disadvantages

HS256 vs RS256

Laravel JWT Configuration

HS256 Example

RS256 Example

Important JWT Fact

Summary