# JWT Token Basics

There are 2 main ways in which we can keep track of the users logged in our application

* The first one is to have some sort of code in memory or on the backend that keeps track when the user logs in and when the user logs out

* The 2nd one is JWT Token based. This is stateless meaning that there is nothing our API, Backend or Memory that keeps track of the login

* The token itself is stored on the front end and the clients keep track if it's logged in or not

## JWT Token Authentication

### How it works:

<figure><img src="https://3885248957-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FoE4wMO1dMVDOGDjh0En7%2Fuploads%2FV3QlDdkPE06OWpEjqucX%2Fimage.png?alt=media&#x26;token=06ae55a0-a407-4e6e-bce9-5d0b6c7efe89" alt=""><figcaption></figcaption></figure>

* 1st we will create a path operation for <mark style="color:orange;">`/login`</mark> which will allow the user to authenticate
* Once logged in the credentials will be verified and if correct the JWT Token will be generated
* The JWT Token will be passed to the client
* Once the client has the token
  * The client will make a request where authentication is required
  * In the header of the HTTP request the token will be passed as well
* The API then checks the token if it's valid
* If the token is valid, it will return the required data

## &#x20;JWT Deep Dive

<figure><img src="https://3885248957-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FoE4wMO1dMVDOGDjh0En7%2Fuploads%2FBmuMHEDHCZzSUOsatqfd%2Fimage.png?alt=media&#x26;token=d84e432b-5e0b-4f11-a862-6c4ac52695e1" alt=""><figcaption></figcaption></figure>

{% hint style="warning" %}
JWT Tokens are not encrypted!
{% endhint %}

* JWT Tokens are made of 3 Individual pieces&#x20;
  * HEADER
  * PAYLOAD
  * VERIFY SIGNATURE

### Header

* Metadata about the token
* Almost like hashing the token
* Metadata is the same for all of our tokens

### Payload

* This is up to you
* You can send any information that you want
* However you will have to consider what info you are sending as the Token IS NOT encrypted
* Anybody else outside in the world can look in the token and read it
* This means no confidential information
* Stick to basic things such as:
  * ID of the user
  * User Roles
* Something to keep in mind is that every time you need to access info that requires authentication, this token will be used
  * So if you pack too much info, you can lose bandwidth because of it

### Signature

* It's a combination of 3 things:
  * Header
  * Payload
  * Secret

{% hint style="info" %}
The Secret is a special password that we keep on our API

* This is only on our API

* Nobody else should know it

* Probably the most important thing for our authentication system
  {% endhint %}

* We take that information and pass it through our signing algorithm (HMACSHA256)

* This will return a signature&#x20;

{% hint style="warning" %}
This signature is important because it will be used to determine if the token is valid

* We do not want people tampering with the token or changing data&#x20;
* Or changing data to look like a different user

The signature is to make sure that nobody has tampered with our token
{% endhint %}

## Purpose of Signature

<figure><img src="https://3885248957-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FoE4wMO1dMVDOGDjh0En7%2Fuploads%2F2iB6gaj6mdFcPCOBmIBX%2Fimage.png?alt=media&#x26;token=cb7c6932-6235-4ddd-b545-f223ec92f469" alt=""><figcaption></figcaption></figure>

* The main takeaway here is that the signature when generating the token is made on the API side
* So if a malicious user tries to modify the data, it will not work as the signature does not match
* He can modify the data on the payload but then needs to create a new signature which does not match as the user does not have the API password to generate the new signature correctly
* The signature is created dynamically for the token
* The signature only ensures that the data integrity is still valid

{% hint style="warning" %}

* Anybody can see the data of the token
* Anybody can change the data of the token
* Nobody can generate a new & correct signature for the data in the token
* Nobody has access to the secret
  {% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.arkannis.net/programming/python/frameworks/fastapi/jwt-token-basics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.