# JWT Token Basics

There are 2 main ways in which we can keep track of the users logged in our application

* The first one is to have some sort of code in memory or on the backend that keeps track when the user logs in and when the user logs out

* The 2nd one is JWT Token based. This is stateless meaning that there is nothing our API, Backend or Memory that keeps track of the login

* The token itself is stored on the front end and the clients keep track if it's logged in or not

## JWT Token Authentication

### How it works:

<figure><img src="https://3885248957-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FoE4wMO1dMVDOGDjh0En7%2Fuploads%2FV3QlDdkPE06OWpEjqucX%2Fimage.png?alt=media&#x26;token=06ae55a0-a407-4e6e-bce9-5d0b6c7efe89" alt=""><figcaption></figcaption></figure>

* 1st we will create a path operation for <mark style="color:orange;">`/login`</mark> which will allow the user to authenticate
* Once logged in the credentials will be verified and if correct the JWT Token will be generated
* The JWT Token will be passed to the client
* Once the client has the token
  * The client will make a request where authentication is required
  * In the header of the HTTP request the token will be passed as well
* The API then checks the token if it's valid
* If the token is valid, it will return the required data

## &#x20;JWT Deep Dive

<figure><img src="https://3885248957-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FoE4wMO1dMVDOGDjh0En7%2Fuploads%2FBmuMHEDHCZzSUOsatqfd%2Fimage.png?alt=media&#x26;token=d84e432b-5e0b-4f11-a862-6c4ac52695e1" alt=""><figcaption></figcaption></figure>

{% hint style="warning" %}
JWT Tokens are not encrypted!
{% endhint %}

* JWT Tokens are made of 3 Individual pieces&#x20;
  * HEADER
  * PAYLOAD
  * VERIFY SIGNATURE

### Header

* Metadata about the token
* Almost like hashing the token
* Metadata is the same for all of our tokens

### Payload

* This is up to you
* You can send any information that you want
* However you will have to consider what info you are sending as the Token IS NOT encrypted
* Anybody else outside in the world can look in the token and read it
* This means no confidential information
* Stick to basic things such as:
  * ID of the user
  * User Roles
* Something to keep in mind is that every time you need to access info that requires authentication, this token will be used
  * So if you pack too much info, you can lose bandwidth because of it

### Signature

* It's a combination of 3 things:
  * Header
  * Payload
  * Secret

{% hint style="info" %}
The Secret is a special password that we keep on our API

* This is only on our API

* Nobody else should know it

* Probably the most important thing for our authentication system
  {% endhint %}

* We take that information and pass it through our signing algorithm (HMACSHA256)

* This will return a signature&#x20;

{% hint style="warning" %}
This signature is important because it will be used to determine if the token is valid

* We do not want people tampering with the token or changing data&#x20;
* Or changing data to look like a different user

The signature is to make sure that nobody has tampered with our token
{% endhint %}

## Purpose of Signature

<figure><img src="https://3885248957-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FoE4wMO1dMVDOGDjh0En7%2Fuploads%2F2iB6gaj6mdFcPCOBmIBX%2Fimage.png?alt=media&#x26;token=cb7c6932-6235-4ddd-b545-f223ec92f469" alt=""><figcaption></figcaption></figure>

* The main takeaway here is that the signature when generating the token is made on the API side
* So if a malicious user tries to modify the data, it will not work as the signature does not match
* He can modify the data on the payload but then needs to create a new signature which does not match as the user does not have the API password to generate the new signature correctly
* The signature is created dynamically for the token
* The signature only ensures that the data integrity is still valid

{% hint style="warning" %}

* Anybody can see the data of the token
* Anybody can change the data of the token
* Nobody can generate a new & correct signature for the data in the token
* Nobody has access to the secret
  {% endhint %}