By the specifications (RFC7519), "a JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties". A JWT leverages Javascript Object Notation (JSON) to represent these claims, resulting in a small and simple token that is used by protocols such as OpenID Connect 1.0 to represent an identity to the application and OAuth 2.0 to represent an access token for API authorization.
JWT defines the token format and uses complementary specifications to handle signing and encryption, this collection of specifications is known as JOSE (JavaScript Object Signing & Encryption) and consists of the following components:
JWS | JSON Web Signature (RFC7515) - defines the process to digitally sign a JWT |
JWE | JSON Web Encryption (RFC7516) - defines the process to encrypt a JWT |
JWA | JSON Web Algorithm (RFC7518) - defines a list of algorithms for digitally signing or encrypting |
JWK | JSON Web Key (RFC7517) - defines how a cryptographic key and sets of keys are represented |
This guide will describe the various components of the JOSE family of specifications and walk through common developer scenarios such as decoding and encoding a JWS.