Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JSON Web Tokens
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Thameera Senanayaka
August 17, 2017
Programming
310
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
JSON Web Tokens
Event: Colombo JavaScript Meetup
Date: 2017/08/17
Thameera Senanayaka
August 17, 2017
Other Decks in Programming
See All in Programming
キャリア迷子上等 ─ "ない道"は自分で作ればいい
16bitidol
3
2.4k
Datadog LLM Observabilityで実現する 安全なLLM Usage 管理
3150
0
130
Developing with AI Agents — Codex, Claude Code & Cowork Practical Guide
x5gtrn
PRO
0
1.3k
ECSアプリログをFireLensでコスト削減しようとしたけど諦めた話 in Fargate×Node.js
akihisaikeda
2
4.2k
エンジニア向け会社紹介/Findy Company Profile
findyinc
6
360k
生成AI時代にこそ効くGo | Why Go Works in the Age of Generative AI
mom0tomo
8
3.4k
AI駆動開発を妨げる技術的負債の解消アプローチ / ai-refactoring-approach
minodriven
15
8k
さぁV100、メモリをお食べ・・・
nilpe
0
160
技術的負債解消で開発者の未来を開く- AIの力でコード刷新
kmd2kmd
0
120
任せる範囲はこう広がった / How the Scope of AI Delegation Has Expanded
nrslib
1
210
Language Server 使ってる? 〜VSCode と Zed の場合〜 / Are you using a Language Server? ~For VS Code and Zed~
handlename
0
810
Snowflake Summitでの新機能 CoCo / CoWork / snowflake-summit-2026-overall-what-new-coco
tatsuhiro
1
200
Featured
See All Featured
[SF Ruby Conf 2025] Rails X
palkan
2
1.1k
Become a Pro
speakerdeck
PRO
31
6k
YesSQL, Process and Tooling at Scale
rocio
174
15k
Speed Design
sergeychernyshev
33
1.9k
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
baasie
0
600
AI in Enterprises - Java and Open Source to the Rescue
ivargrimstad
0
1.3k
Building Adaptive Systems
keathley
44
3.1k
SEO for Brand Visibility & Recognition
aleyda
0
4.6k
Bootstrapping a Software Product
garrettdimon
PRO
307
120k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
23k
Evolving SEO for Evolving Search Engines
ryanjones
0
230
Practical Orchestrator
shlominoach
191
11k
Transcript
JSON Web Tokens Thameera Senanayaka
@thameera twitter.com/thameera
None
None
None
None
None
None
None
None
None
None
None
None
None
None
JSON Web Tokens aka JWT
RFC 7519 https://tools.ietf.org/html/rfc7519 An open standard for passing claims between
two parties
JSON Web Token
{ "name": "dinesh chandimal", "age": 27, "strengths": [], "weaknesses": ["captaincy"]
}
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoMH w1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAyZjYi LCJleHAiOjE1MDI5MTkwMTZ9.lmqptC83nKo mEfsgQcmcgOydoJi5j80gOuU2ClWSA0Q
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoM Hw1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAy ZjYiLCJleHAiOjE1MDI5MTkwMTZ9.lmqptC8 3nKomEfsgQcmcgOydoJi5j80gOuU2ClWSA0 Q
JWT.io
Demo
Signing algorithms → HMAC → RSA → ECDSA
Payload Reserved claims iss, sub, exp, aud, ...
How to build a JWT
payload { "name": "jon snow", "house": "stark", "sub": "1234" }
base64 encode the payload bPayload = base64( payload ) eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIi
wic3ViIjoiMTIzNCJ9
header { "typ": "JWT", "alg": "HS256" }
base64 encode the header bHeader = base64( header ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
signature signature = sign( bHeader + '.' + bPayload, secret
) sign( 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIiwic3ViIjoiMTIzNCJ9', 'mySecret123' ) bSignature = base64( signature ) TiMShk7JvK4zR3Kn4It5+H8N4KrGdVL3f/ FTw4WTUXM=
Add everything together jwt = bHeader.bPayload.bSignature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YX JrIiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4I t5+H8N4KrGdVL3f/FTw4WTUXM=
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJr Iiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4It5+ H8N4KrGdVL3f/FTw4WTUXM=
Live coding !
Is the JWT encrypted?
JWTs are signed, not encrypted
How does the server know that we didn't mess with
the JWT?
Don't Reinvent The Wheel JWT libraries are available for almost
every language and framework
Creating a JWT with jsonwebtoken const jwt = require('jsonwebtoken') const
token = jwt.sign({ name: 'thameera' }, 'mySecret123')
Verifying a JWT const jwt = require('jsonwebtoken') try { const
decoded = jwt.verify(token, 'mySecret123') } catch(e) { console.log('Invalid token!!!') }
Advantages of JWTs ! Compact Stateless Scalable Decoupled Cross Domain
Sessions vs Tokens Pass by Reference vs Pass by Value
Where to go from here?
JSON Web Token Specification RFC 7519 https://tools.ietf.org/html/rfc7519
JWT Handbook https://goo.gl/HyzEZA
Thank you!