JWTs consist of three parts separated by periods (.), Which are:
Therefore, JWT usually looks as follows.
xxxxx.yyyyy.zzzzz
See a summary of RFC and this
Headline
The header usually consists of two parts: a type of token, which is a JWT, and a hash algorithm such as HMAC SHA256 or RSA.
{ "alg": "HS256", "typ": "JWT" }
Payload
The second part of the token is the payload, which contains the formula. Claims are statements about the object (usually the user) and additional metadata. This is an interesting part, because inside the marker we can check what you relate to. {"userid": "1234567890", "expiration_date": "2016-05-129"}
When we create a new token, we can indicate that the data will contain a payload, so we can add a user ID to identify the user and expiration_date to check if it is time to ask for a new one.
Signature
To create a portion of the signature, you must take the encoded header, the encoded payload, the secret, the algorithm specified in the header, and sign it. The signature is used to verify that the sender of the JWT is whoever says this, and that the message has been modified along the way.
Server side
We must store our secret key on the server side, so we can decrypt the actual payload and check which user belongs. Thus, we can avoid store tokens, since each token stores enough data to validate our users.
How to renew a token ?: from the client side
The process of creating an updated token is the same, so the client side must ask for a renewal service (HTTP request, for example, www.myhost.com/renew), and send the old token to create a new one. Remember that you can verify that the user belongs to this token, so the update token must contain the same payload, but with a different expiration date.
Single sign-on
We can use JWT with strategies such as single sign- on to ensure that only one user with the same credentials is logged in at a time.