RFC 7519

Standards & Rfcs Security Notes Jan 6, 2025 JAVASCRIPT

Definition

How do you prove who you are on the internet without constantly asking users to re-enter their passwords? RFC 7519 defines JSON Web Tokens (JWTs), a clever solution that has become the backbone of modern web authentication. Instead of checking with a database on every request, servers can issue self-contained tokens that carry all the proof of identity within themselves.

A JWT is essentially a signed JSON object that gets base64-encoded into a compact string. It looks like a random string of characters separated by two dots: xxxxx.yyyyy.zzzzz. But that random-looking string actually contains three parts: a header (telling you what algorithm was used to sign it), a payload (containing the actual claims about the user), and a signature (proving the token has not been tampered with).

The magic of JWTs is in that signature. When a server creates a JWT, it signs it with a secret key. Later, when that JWT comes back with a request, the server can verify the signature mathematically - without consulting any database. If someone tries to modify the JWT (change the user ID, extend the expiration, or grant themselves admin privileges), the signature will not match, and the server will reject it. It is like a tamper-evident seal that cannot be faked.

Example

Staying logged into websites: When you log into a web application, the server creates a JWT containing your user ID, roles, and an expiration time. Your browser stores this token and includes it with every request. The server validates the signature to confirm you are who you claim to be - no database lookup needed.

Mobile app authentication: When you log into a mobile banking app, you receive a JWT. For the next 30 minutes, every tap that requires server communication sends that JWT. The server trusts it because only the bank’s servers can create validly signed tokens.

Single Sign-On (SSO): When you use “Login with Google” on multiple websites, Google issues JWTs that those websites can verify independently. Each site trusts Google’s signature, so they know the token genuinely came from Google.

Microservices communication: In large systems with dozens of services, JWTs let services trust each other. When the order service calls the inventory service, it presents a JWT. The inventory service verifies the signature without needing to call a central authentication server.

Analogy

The Tamper-Proof ID Badge: Imagine an ID badge that contains your photo, name, department, and access permissions - but printed in special ink that changes color if anyone tries to modify it. That is a JWT. All the information is visible (base64 is not encryption), but any tampering is immediately detectable.

The Wax-Sealed Letter: In medieval times, important letters were sealed with wax imprinted with a signet ring. Anyone could read the letter, but the unbroken seal proved it came from the right person and had not been tampered with. JWTs are the digital version of this wax seal.

The Boarding Pass: Your boarding pass contains your name, flight, seat, and boarding time. The airline can verify it is genuine by checking the barcode - they do not need to look you up in a database. If someone photoshopped a different name or seat number, the barcode would not match.

The Notarized Document: A notarized document carries all the information anyone needs, plus a notary’s stamp proving it is authentic. JWTs work similarly - they carry all the claims needed, plus a cryptographic “stamp” proving they are genuine.

Code Example


// JWT Structure: header.payload.signature
// Header (algorithm and type)
{
  "alg": "HS256",
  "typ": "JWT"
}

// Payload (claims)
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622,
  "roles": ["admin"]
}

// Creating a JWT (Node.js)
const jwt = require('jsonwebtoken');
const token = jwt.sign(
  {
    sub: user.id,
    name: user.name,
    roles: user.roles
  },
  SECRET_KEY,
  { expiresIn: '1h' }
);

// Verifying a JWT
try {
  const decoded = jwt.verify(token, SECRET_KEY);
  console.log(decoded.name); // "John Doe"
} catch (err) {
  console.error('Invalid token');
}

// Using in HTTP requests
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Security Notes

SECURITY NOTES

CRITICAL: RFC 7519 defines JWT standard. Stateless tokens with signed claims.

JWT Structure:

  • Header: Algorithm and token type
  • Payload: Claims/data
  • Signature: Cryptographic signature

Claim Types:

  • Registered: Standard claims (iss, sub, aud, exp, etc.)
  • Public: Custom claims with namespaces
  • Private: Custom claims between parties

Validation:

  • Signature: Always verify signature first
  • Expiration: Check exp claim
  • Audience: Verify aud claim
  • Issuer: Verify iss claim