Using JWTs for claims and identity
In API access control, JWTs are used to transfer information between the client and server in a portable and robust manner. A JWT is cryptographically secure, allowing a client to verify the integrity of the message using public-key cryptography. The JSON format allows for easy transmission as part of the request header or body.
A JWT comprises three parts: the header, the claim, and the signature (hash-based message authentication code or simply HMAC). Each part is separated by a .
character and encoded with Base64Url
as shown:
Figure 2.12 – JWT example
Let’s look at these three parts in some more detail: