If you work with APIs, you've probably come across JWTs. JWT stands for ๐๐๐๐ ๐๐๐ ๐๐จ๐ค๐๐ง, and it's a JSON document that contains information about a user. We call the properties of a JWT claims.
๐ ๐๐ ๐ญ๐จ๐ค๐๐ง๐ฌ are tokens carrying user-identifying data like their name and email. You should ๐๐๐๐๐ use an ID token to validate access to an API.
๐ ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ๐ค๐๐ง๐ฌ are tokens with claims about the right to access an API.
2/
We use access tokens to validate access to an API.
A JWT has three components: header, payload, and signature
๐
๐ธ ๐๐๐๐๐๐ซ: it identifies the document as a JWT and contains metadata, such as the algorithm and the key ID used to sign the token.
3/
๐ธ ๐๐๐ฒ๐ฅ๐จ๐๐: the set of claims that a) identify a user in ID tokens or b) claim the user's access to the API (access tokens).
๐ธ ๐๐ข๐ ๐ง๐๐ญ๐ฎ๐ซ๐: a signature produced by combining the header and the payload. The signature verifies that the JWT is legit.
4/
๐๐๐ ๐๐ฅ๐๐ข๐ฆ๐ฌ
The standard claims of an access token are:
- ๐ข๐ฌ๐ฌ (issuer): identifies the authorization server that issued the JWT.
- ๐ฌ๐ฎ๐ (subject): identifies the subject of the JWT, i.e. the user sending the request to the server.
5/
- ๐๐ฎ๐ (audience): the JWT's recipient (aka the API server).
- ๐๐ฑ๐ฉ (expiration time): when the JWT expires.
- ๐ง๐๐ (not before time): time before which the JWT mustn't be accepted.
- ๐ข๐๐ญ (issued at time): when the JWT was issued.
- ๐ฃ๐ญ๐ข (JWT ID): a JWT unique ID.
6/