JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. They are widely used in web applications for purposes such as authentication and information exchange. A JWT is composed of three parts: a header, a payload, and a signature, each separated by dots (.).
Header: The header typically consists of two parts: the type of token, which is JWT, and the signing algorithm being used, such as HMAC, SHA256, or RSA.
Payload: The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims. Registered claims are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Public claims can be defined at will by those using JWTs. Private claims are used to share information between parties that agree on using them and are neither registered nor public claims.
Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
Heres an example of a JWT Token:
Here are the first 2 components broken down and base64 decoded:
In this case, the Signature is an HMAC hash of the Header and Payload using a private key "private_key" and then base 64 encoded.
You can pass a JWT token when initializing Sapling's SDK as verification without exposing your private key. Click the language you plan to use for a quickstart guide with sample code on how to create a JWT token.