How Jwt Authentication Works – JSON Web Tokens Explained
Try How Jwt Authentication Works instantly – 100% client‑side, no data leaves your browser.
JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self‑contained way to securely transmit information between parties as a JSON object.
JWTs are digitally signed, so they can be verified and trusted. They are commonly used for authentication and authorization in modern web applications.
How JWT works – step by step
- User logs in – credentials sent to server.
- Server verifies credentials, creates a JWT with user claims.
- Server signs the JWT using a secret or private key.
- Client stores the JWT (localStorage, cookie, or memory).
- Client sends JWT in Authorization header for subsequent requests.
- Server validates signature and claims, then processes request.
JWT structure
A JWT consists of three parts separated by dots:
xxxxx.yyyyy.zzzzz
- Header – algorithm and token type (e.g., HS256, RS256).
- Payload – claims (user data, expiration, issuer).
- Signature – verifies the token hasn't been tampered with.
Why use JWTs?
- ✅ Stateless – no server‑side session storage.
- ✅ Self‑contained – carries user info inside the token.
- ✅ Cross‑platform – works with any language (C#, JavaScript, Python, etc.).
- ✅ Scalable – perfect for microservices and distributed systems.
Code Examples
Generate a JWT in C#
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("your-256-bit-secret"));
var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
var claims = new[] {
new Claim(JwtRegisteredClaimNames.Sub, "user123"),
new Claim(JwtRegisteredClaimNames.Email, "user@example.com"),
new Claim("role", "admin")
};
var token = new JwtSecurityToken(
issuer: "https://ratpdf.com",
audience: "api",
claims: claims,
expires: DateTime.UtcNow.AddHours(1),
signingCredentials: credentials
);
var jwtString = new JwtSecurityTokenHandler().WriteToken(token);