28 Nov, 2019 | 3 min read

Quick Intros to JSON and JWT (Exclusively for Cat Lovers)

  • Yvonne Wickramasinghe
  • Senior Product Manager - WSO2

Image credits: Scott Webb on Unsplash

In this post, I will give a brief intro to JavaScript Object Notation (JSON) and JSON Web Token (JWT) in a cat-lover-friendly manner.

What is JSON?

JSON is a language-independent data format that is derived from JavaScript. The data in JSON format comes as human-readable text files with the

.json extension

. These files are used to transmit data objects that comprise the following:

  • Attribute-value pairs
  • Data types such as number, string, boolean, array, object, and null

Following is a sample JSON that describes a cat.

What is JWT?

According to the specification, JWT is a compact, URL-safe means of representing claims to be transferred between two entities.

Icon credits:

JWT, in fact, is a valid JSON object that consists of a header, payload, and signature and would look like something similar to what’s shown in the image below.

Sample JWT structure

In the JWT, these components will be encoded and will be separated by a period (see below).

Sample JWT

Let’s get to know more about these components.


The header of the JWT defines how the token’s signature should be generated and is usually composed of the following:

  • Alg: This is the algorithm that is used to generate the signature of the JWT, which can either be HS256 or RS256
  • Typ: This is the type of the token, which is JWT

The header of the JWT is encoded using the base64 encoding scheme (see below).


The payload consists of a set of claim names and claim values. Following are some commonly used claims:

  • iss: This is the issuer of the token, for example the consumer key of your application
  • sub: This is used by the issuer to uniquely identify the end-user, for example the consumer key of your application
  • aud: This is the audience/recipients that the JWT is intended for
  • exp: This is the epoch time of the token expiration date/time
  • iat: This is the epoch time of the token issuance date/time
  • jit: This is an incremental unique value that uniquely identifies the JWT

The payload of the JWT is also encoded using the base64 encoding scheme (see below).


The signature of the JWT is the hashed value of the encoded header and the encoded payload in the following structure.

Hashing can be done using either RS256 or HS256 algorithms.

Image Credits:


RSA with SHA-256 (RS256) is an asymmetric algorithm that uses a public key and private key pair.

  • Private key: This is used by the identity provider to generate the JWT signature
  • Public key: This is used by the JWT consumer to validate the JWT signature

For more information on asymmetric encryption in WSO2 Identity Server, see the documentation on using asymmetric encryption.


HMAC with SHA-256 (HS256) is a symmetric algorithm that uses a single private key. This private key is shared between both the identity provider and JWT consumer. To learn how to perform symmetric encryption using WSO2 Identity Server, see the documentation on using symmetric encryption. Once hashed, the signature will be encrypted using the private key.


JWT format is used for ID tokens in token-based authentication. However, even though the JWT is encoded, it is not encrypted. Therefore, it is not recommended to transmit private information using JWT.

WSO2 Identity Server is a renowned IAM solution that implements JWT. Following are some content that you might be interested in checking out: