Get the powerful template to approach system design for FREE on newsletter signup:

This post outlines how JSON Web Token works. You will find references at the bottom of this page if you want to go deeper.

• Share this post & I'll send you some rewards for the referrals.

Note: This post is based on my research and may differ from real-world implementation.

Once upon a time, there lived a software engineering student named Keiko.

Although extremely bright, she never worked on any real-world projects.

So she struggled with coding.

Until one day, when she decided to build a weather app.

And shared it with her friends.

Yet she had no idea how user authorization worked.

HTTP is stateless; it means each request should include the necessary information.

And her friends had to enter their username and password on each page for authorization.

It was frustrating.

So she set up a session store on the server:

• It tracks user sessions and gives a session ID to the client.

• And the client includes the session ID with each request header.

The server then checks the session store to identify the client for access.

Although it temporarily solved the authorization problem, there were newer issues.

Her tiny app became popular among university students across the world.

So she had to install more servers and put them behind a load balancer.

But it became difficult to manage sessions with many servers.

Because the load balancer might route requests from a user to different servers.

So she set up sticky sessions. It means routing requests from a specific user to the same server using their user ID or IP address.

Yet it doesn’t scale well because of stateful servers and uneven load distribution.

So she installed a shared session store. It keeps session data separate in a central store.

A shared session store allows stateless servers. But introduces coupling and becomes a single point of failure.

So she set up JSON Web Token (JWT) for authorization.

Think of JWT as a badge to enter a building. A user gets the badge from the front desk after verification. Then they can access authorized rooms without verifying their identity again.

The server doesn’t store session information with JWT. Instead JWT includes necessary authorization information, and the server checks the JWT on each request.

Imagine authentication as permission to enter a building. And authorization as the permission to enter specific rooms of the building.

Onward.

Linear: Issue tracking without the noise - Sponsor

Simple, robust, and blazingly fast.

Linear is purpose-built for engineers:

• Create issues in seconds

• Automate your Git workflows

• Navigate your entire workflow with keyboard shortcuts

Less grunt work, less context switching. More focus, more flow. See for yourself with $250 off.

Explore Linear

How JWT Works

Let’s dive in:

1. JWT Structure

JWT doesn’t look like a JSON object, but a set of characters.

It has 3 parts:

• Header: It specifies the signing algorithm, such as RSA or HMAC

• Payload: It contains data and expiry time

• Signature: It shows the payload’s authenticity

The payload is base64url encoded for compactness and ease of transmission across networks.

The server combines the header and payload with a secret key. Then it performs the signing algorithm to create the signature. Only the server has access to the secret key.

The server recomputes the signature using the header and payload each time it receives a JWT. Thus checking if the payload was modified.

Ready for the best part?

2. JWT Workflow

Here’s the JWT authorization workflow:

1. The user enters the name and password for authentication

2. The server creates a JWT using the authorization information

3. The server signs the JWT and gives it to the client

4. The client includes JWT in HTTP headers for authorization

The server allows a request only if the signature on the JWT is valid.

3. JWT Security

There’s a risk of JWT getting stolen and used for false authorization.

Here are some ways to avoid this problem:

• Send JWT over HTTPS for security

• Set an expiry time on the JWT to limit the damage

• Assign minimum roles to JWT to reduce the damage

Yet there’s no way to invalidate a stolen JWT. A workaround is to include the stolen JWT in a denial list on the server.

JWT remains a popular authorization mechanism on the internet and in microservices architecture. It makes it easier to transfer information across services.

Solving a problem makes the next one easier.

So build projects. And join my free newsletter to elevate your system design skills.

Subscribe to get simplified case studies delivered straight to your inbox:

Want to advertise in this newsletter? 📰

If your company wants to reach a 145K+ tech audience, advertise with me.

Thank you for supporting this newsletter. Consider sharing this post with your friends and get rewards. Y’all are the best.

Share

TL;DR 🕰️

You can find a summary of the article here. Consider a repost if you find it helpful.

How DNS Works 🔥

Neo Kim

·

May 2

Read full story

How Figma Scaled to 4M Users—Without Fancy Databases 🔥

Neo Kim

·

Apr 16

Read full story

References

• Introduction to JSON Web Tokens

• JSON Web Token - RFC

• JSON Web Token Structure

• Authentication vs Authorization: Key Differences

• What is HTTPS?

• Block diagrams created with Eraser