JSON Web Tokens 介紹
JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Base64Url encode header and payload
* Do note that for signed tokens this information, though protected against tampering, is readable by anyone.
JWT 結構
JWT consist of three parts separated by dots (.)
xxxxx.yyyyy.zzzzz
- Header
- Payload
- Signature
Header
consists of two parts:
the type of the token (JWT), and the hashing algorithm (HMAC SHA256).
{ "alg": "HS256", "typ": "JWT" }
Payload
which contains the claims in JSON format
There are three types of claims: registered, public, and private claims
Signature
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)