JSON has become the de facto format for data exchange today and almost every public API seems to be using data in JSON format. With the increasing amount of hacking attempts, it has become crucial to verify the integrity of the data. This is where JSON Web Tokens or jwt comes in. As per the official definition, “JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties”.
In easy words, JSON web tokens are a way of verifying that the JSON data being received is sent from the right person or not.
The jwt’s official website makes it very clear.
You can see that there is an encoded string on the left and it is decoded on the right. The decoded data contains a header which often defines the meta information of the data like algorithm and type. The payload often contains the actual JSON data that you want to share.
Is it secure?
Well, secure is a very relative term. You need to specify what you are expecting in terms of security. If you used JSON web tokens to store something like a user’s email and password, then voila – you have successfully compromised the security of all your users. Anyone with that token could decrypt the payload and headers and get the data. JSON web tokens are not some secure 2-way encryption algorithm that you can use to secure your data. It is just a means to transfer data between 2 parties and verify whether or not the data is the original one that had been generated. I have written a dedicated article on why you should never use JSON web tokens for authentication, make sure you read that for a better view of the topic.
Implementing JWT
JWT has hundreds of libraries with support for almost every programming languages. Let us now have a look at some simple JWT examples with python.
I will be using the pyjwt package for python here in this example.
First of all, encoded some JSON data with my name and website info, you can see that I have supplied the HS256 algorithm and used a secret key – mysecret.
Now it gives me an encoded string, this is my jwt. A single string token that contains all my data. After that, I have tried to decode it using an incorrect secret and you can very well see that I get an error as I try to do so.
I then supply the correct key and I can see the data. But that doesn’t mean that I cannot see the data without the secret key. I copied the string and pasted it on jwt.io.
Now if you see in the decoded section it shows the contents of the json object I had encrypted. It also shows an invalid signature warning since the secret key did not match.
Conclusion
JSON web token or jwt’s are tokens that contain some json data. Though this data is visible to anyone who gets hold of that token, this isn’t how jwt’s are supposed to be used. JWT’s are often misinterpreted as undecodable encrypted json tokens but that’s not the case. JWT’s should only be used when you want to check whether the data you have received is coming from someone you trust or not since you both will have the secret key and can check if the signature is valid or not. If you are still confused about JWT’s actual purpose to feel free to drop in a comment and I’ll be there for you.
