Authorization is the process of verifying what a user has access to (whereas authentication is the process of verifying who someone is)
Each JWT contains encoded JSON objects, including a set of claims. JWTs are signed using a cryptographic algorithm to ensure that the claims cannot be altered after the token is issued.
Three components (looks something like this:
- Header: contains the type of token and signing algorithm
- Payload: contains the claims
- Signature: ensures the token hasn’t been altered
The party that creates the JWT signs the header and payload with
- a secret that is known to both the issuer and receiver, or
- a private key known only to the sender
When the token is used, the receiving party verifies that the header and payload match the signature.