Alberto Salazar

Java Champion - Oracle Groundbreaker Ambassador - Jug Leader - Auth0 Ambassador & JCP Associate Member.

True believer in open source, passionate developer. Founder,,


Events and Conferences..

24 February 2018

Introduction to Json Web Tokens JWT

by Alberto Salazar

I’ve recently been honored as an Auth0 Ambassador and the best way to celebrated it is producing one entrance to the blog talling about Identity concerns and Security concepts.


JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

In other works if we need to exchange messages between two applications we can use JWTs to assure secure the messages. The information coudl be verified and tristed because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

The token will look like the following: eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJ7XCJ1c2VybmFtZVwiOlwiY2xvdWRiYW5jb1wiLFwiZnVsbE5hbWVcIjpudWxsLFwidXNlcklkXCI6XCIxXCIsXCJpZGVudGlmaWNhdGlvblwiOm51bGx9IiwiZXhwIjoxNTEzMTI0NjMzfQ.bLFYuhhE4Ezlj7bwKC1KT9At1ba9JiDULJ5YoRayurqeYK1J8zCsX1t4lFo7Nwo5sYz2O8cabIWo1yuqjCaWfg

JSON Web Tokens consist of three parts separated by dots (.), which are:

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA. Header = eyJhbGciOiJIUzUxMiJ9


The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user, role or any data that will need to autorize resources) and additional data.

Payload = eyJzdWIiOiJ7XCJ1c2VybmFtZVwiOlwiY2xvdWRiYW5jb1wiLFwiZnVsbE5hbWVcIjpudWxsLFwidXNlcklkXCI6XCIxXCIsXCJpZGVudGlmaWNhdGlvblwiOm51bGx9IiwiZXhwIjoxNTEzMTI0NjMzfQ


To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

Signature = bLFYuhhE4Ezlj7bwKC1KT9At1ba9JiDULJ5YoRayurqeYK1J8zCsX1t4lFo7Nwo5sYz2O8cabIWo1yuqjCaWfg


tags: JWT. Json Web Tokens, Security, Java

About me.

Java Professional with more than 17 years experience creating Java architectures for large scalable, high transaction load systems since J2EE 1.3 and receltly honored as Java Champion, Oracle Groundbreaker Ambassador and Auth0 Ambassador .

Java Champion, JugLeader, Oracle Groundbreaker Ambassador, Auth0Ambassador & JCPMember.Founder Java Users Group Ecuador and Javaday Ecuador Conference. Speaker at world class conferences such as: JavaOne, Oracle Code, Redhat Summit, Oracle Code Latam Tour, Oracle OTN LAD and locally ECUADOR Java Users Group.

I also start evangelize Java between 2006 to 2010 like an official trainner of SUN Microsystems, Inc. Of the certification java path like: SL-285 Developing Applications With the Java SE Platform, FJ-310 Developing Applications for the Java EE Platform, SL-314 Web Component Development with Servlet and JSP Technologies.

Certified as: Oracle Certified Master Java EE5 Enterprise Architect Step1. Sun Certified Programmer for the Java Platform Standard Edition 5. Sun Certified Professional. SOA Certified Profesional, Apache Service Mix & Apache Camel Advanced Developer Advaced Integration and more....