JWT, or JSON Web Token, is an open standard used to tranfsfer claims, share security information (authetication / authorization)  between two parties. 

The JWT encodes the claims in JavaScript object notation. For example , a server could generate a token that has the claim "logged in as administrator" and provide that to client. The tokens are typically signed and optionally encrypted. Signed tokens are commonly referred to as JSON web signatures (JWS) and encrypted tokens as JSON web encryption (JWE). Tokens can be sgined using using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. Singing ensures. JWS ensure

Note that without secure channel  , the jwt token can be intercepted via man in middle attack and hence when securing api's using jwt ensure secure channel with TLS. Note that typically even though TLS is used even then senstive user information can still not be kept in jwt as it would be exposed on the server side. 

A JWT is a string made up of three parts (header, payload, signature) separated by dots (.), and serialized using base64.

JWT Example

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJMTSIsImlhdCI6MTYxOTQ3MDY4MiwiZXhwIjoxNjE5NDcxODg2LCJhdWQiOiJsb2dpY21vbml0b3IuY29tIiwic3ViIjoiTmVkIn0.mqWsk4fUZ5WAPYoY9bJHI7gD8Zwdtg9DUoCll-jXCMg

HEADER

A header in a JWT is mostly used to describe the cryptographic operations applied to the JWT like signing/decryption technique used on it. It can also contain the data about the media/content type of the information we are sending

Decoded Header
{
  "typ": "JWT",
  "alg": "HS256"
}

the ‘typ’ gives us the type of the header this information packet is, whereas the ‘alg’ tells us about the encryption algorithm used.Some JWT’s can also be created without a signature or encryption. Such a token is referred to as unsecured and its header should have the value of the alg object key assigned to as ‘none’. Note that If the JWT processing function blindly adheres to the algorithm type declared in the header and the “alg” header is set to “none”, the JWT would be processed as valid without any of the protection that a signature provides. 

{
    "alg":"none"
 }

PAYLOAD

Decoded Payload
{
  "iss": "CMF",
  "iat": 16198760682,
  "exp": 1612345677,
  "aud": "clarifyforme.com",
  "sub": "cfm"
}

The payload is the part of the JWT where all the user data is actually added. This data is also referred to as the ‘claims’ of the JWT.

 There are three types of claims

Signature

mqWsk4fUZ5WAPYoY9bJHI7gD8Zwdtg9DUoCll-jXCMg

Best JWT practices

When use JWT

Advantages of JWT