Table of Contents
JWT
JWT is primarily used for:
- Authentication
- Authorization
JWT normally uses:
Digital Signatures
NOT encryption.
What Is JWT?
JWT stands for:
JSON Web Token
Structure:
Header.Payload.Signature
Example:
xxxxx.yyyyy.zzzzz
JWT Header
Contains metadata.
Example:
{
"alg": "HS256",
"typ": "JWT"
}
Meaning:
- JWT token
- Uses HS256 algorithm
JWT Payload
Contains claims.
Example:
{
"userId": 123,
"role": "admin"
}
Common claims:
- sub
- exp
- iss
- aud
- iat
JWT Signature
Protects token integrity.
Conceptually:
Header + Payload
↓
Sign
↓
Signature
Purpose:
- Detect modification
- Verify issuer
JWT Authentication Flow
Step 1
User logs in.
Email + Password
Step 2
Server validates credentials.
Step 3
Server creates JWT.
Header Payload Signature
Step 4
Server returns token.
{
"token": "eyJhbGciOi..."
}
Step 5
Client stores token.
Possible locations:
- Cookie
- Local Storage
- Memory
Step 6
Client calls protected API.
Authorization: Bearer <token>
Step 7
Server verifies token signature.
If valid:
Access Granted
If invalid:
401 Unauthorized
JWT Using HS256
Algorithm Type
HS256
Uses:
ONE SECRET KEY
Architecture
Secret Key
|
+--> Sign JWT
|
+--> Verify JWT
Example
JWT_SECRET=abc123
Signing:
Sign(token, abc123)
Verification:
Verify(token, abc123)
Advantages
- Simple
- Fast
- Easy setup
Disadvantages
All services need the same secret key.
If the secret leaks:
Anyone can generate valid JWTs.
JWT Using RS256
Algorithm Type
RS256
Uses:
PUBLIC KEY + PRIVATE KEY
Architecture
Private Key → Sign JWT Public Key → Verify JWT
Example
JWT_PRIVATE_KEY=/keys/private.pem JWT_PUBLIC_KEY=/keys/public.pem
Signing
Sign(token, Private Key)
Only owner can sign.
Verification
Verify(token, Public Key)
Anyone with public key can verify.
Advantages
- Better for microservices
- Private key remains isolated
- Public key can be distributed safely
Disadvantages
- More complex
- Slightly slower
HS256 vs RS256
| Feature | HS256 | RS256 |
|---|---|---|
| Keys | 1 | 2 |
| Type | Symmetric | Asymmetric |
| Sign | Secret Key | Private Key |
| Verify | Secret Key | Public Key |
| Complexity | Low | Medium |
| Performance | Fast | Slightly Slower |
| Enterprise Usage | Medium | High |
Laravel JWT Configuration
HS256 Example
JWT_SECRET=my-secret-key
or
JWT_KEY=my-secret-key
This usually means:
HS256
Uses:
1 Secret Key
RS256 Example
JWT_PRIVATE_KEY=/keys/private.pem JWT_PUBLIC_KEY=/keys/public.pem
This usually means:
RS256
Uses:
2 Keys
Important JWT Fact
JWT is usually:
SIGNED
JWT is usually NOT:
ENCRYPTED
Anyone can decode payload contents.
Example:
{
"userId": 123,
"role": "admin"
}
Therefore do NOT store:
- Passwords
- API Secrets
- Credit Card Numbers
- Sensitive Personal Information
inside JWT payloads.
Summary
Cryptography
│
├── Encryption
│ │
│ ├── Symmetric (1 Key)
│ │ └── AES
│ │
│ └── Asymmetric (2 Keys)
│ └── RSA Encryption
│
└── Digital Signatures
│
├── Symmetric Signature
│ └── HS256 JWT
│
└── Asymmetric Signature
└── RS256 JWT
Memory Trick:
Encryption = Hide Data Signature = Verify Data HS256 = 1 Secret Key RS256 = Private Key + Public Key JWT = Usually Signed = Usually Not Encrypted