IPFYI
RFC 7519 Proposed Standard

JSON Web Token (JWT)

M. Jones, J. Bradley, N. Sakimura · 2015-05

Abstract

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

Why This RFC Matters

RFC 7519 defined JWT, which became the de facto standard for stateless authentication tokens in web APIs and microservice architectures. A JWT encodes identity claims (subject, issuer, expiration, roles) in a base64url-encoded JSON payload signed by the server, allowing any service that trusts the signing key or certificate to validate the token without a database lookup. This stateless property makes JWTs ideal for distributed systems and is the basis of OpenID Connect (OIDC) ID tokens, OAuth 2.0 access tokens issued by many providers, and service-to-service authentication in cloud-native deployments.

Related Protocols

HTTPS HTTP

Related Terms

jwt oauth authentication encryption ssl-tls

More in Security

RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH RFC 3602 The AES-CBC Cipher Algorithm and Its Use with IPsec RFC 4253 The Secure Shell (SSH) Transport Layer Protocol RFC 4254 The Secure Shell (SSH) Connection Protocol RFC 4301 Security Architecture for the Internet Protocol RFC 5246 The Transport Layer Security (TLS) Protocol Version 1.2 RFC 5280 Internet X.509 Public Key Infrastructure Certificate and CRL Profile RFC 6125 Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)