4 min read3 days ago
–
JWT — Three Parts, One Contract
We all “know” JWTs. But knowing what they are and knowing what they actually prove are not the same.
Let’s reset the mental model.
What a JWT actually proves (read this first)
A JWT does not prove who the user is by itself.
What it proves is:
A trusted authority issued a set of claims at some point in time, and those claims were not tampered with.
So when we say “JWT authentication”, what we really mean is:
“This request carries a token issued by our auth system for this user, and it’s still valid.”
JWTs prove issuer trust and integrity, not live identity.
Press enter or click to view image in full size
The structure: 3 parts, different responsibilities
A JWT looks like this:
4 min read3 days ago
–
JWT — Three Parts, One Contract
We all “know” JWTs. But knowing what they are and knowing what they actually prove are not the same.
Let’s reset the mental model.
What a JWT actually proves (read this first)
A JWT does not prove who the user is by itself.
What it proves is:
A trusted authority issued a set of claims at some point in time, and those claims were not tampered with.
So when we say “JWT authentication”, what we really mean is:
“This request carries a token issued by our auth system for this user, and it’s still valid.”
JWTs prove issuer trust and integrity, not live identity.
Press enter or click to view image in full size
The structure: 3 parts, different responsibilities
A JWT looks like this:
header.payload.signature
All three parts are Base64URL-encoded, not encrypted.
This distinction matters.