Your Quick Guide to Learn JWT

Last Updated on April 26, 2025 by Aram

JWT is short for JSON Web Tokens

It is a standard format to transmit data between systems in a secure way through JSON objects

This article gives you a foundational knowledge about JWT, its security model, structure, and a few other details. Also, you will learn how you can decode JWT using different tools, and how you can generate a JWT using symmetric algorithm using the latest and greatest .NET 9.

Finally, I include to a list of best practices when working with JWT, so that you can be aware of the different aspects that are related to JWT and how to use it the right way.

Keep reading through this quick guide to learn JWT.

Why Use JWT?

Authentication

Verifies user identity

Authorization

Grants access to protected resources according to role (in claims)

Stateless

No need to store session data on the server.

JWT Security Model

JWTs are digitally signed to ensure integrity and authenticity

Digital signing ensures no one has tampered with the data contained within the JWT

Optionally, JWTs can also be encrypted to protect sensitive data

JWT Structure

A JWT consists of three parts, each part represented as a base64 URL-encoded string, separated by dots (.):

Header

Contains metadata (algorithm & token type).

Payload

Holds user data (claims).

Signature

Ensures token integrity and authenticity

JWT Example

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxIiwibmJmIjoxNzQxMzI3NjEyLCJleHAiOjE3NDEzMjg1MTAsImlhdCI6MTc0MTMyNzYxMiwiaXNzIjoiaHR0cDovL2NvZGluZ3NvbmF0YS5jb20iLCJhdWQiOiJodHRwOi8vY29kaW5nc29uYXRhLmNvbSJ9.MLzdiWUCEblnTH5YKRpqMmtQ4ptxeMM9LRljEa80UCY

Now let’s break down this JWT:

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Payload

eyJuYW1laWQiOiIxIiwibmJmIjoxNzQxMzI3NjEyLCJleHAiOjE3NDEzMjg1MTAsImlhdCI6MTc0MTMyNzYxMiwiaXNzIjoiaHR0cDovL2NvZGluZ3NvbmF0YS5jb20iLCJhdWQiOiJodHRwOi8vY29kaW5nc29uYXRhLmNvbSJ9

Signature

MLzdiWUCEblnTH5YKRpqMmtQ4ptxeMM9LRljEa80UCY

JWT Claims

Claims represent the data contained within JWT as the payload.

These are defined as a dictionary of key,value pairs, where the key can be either predefined or custom, and the value can be any JSON value

There is a long list of predefined claims, but some of them are commonly used:

Most common Predefined (Registered) JWT Claims are:

iss: Issuer
sub: Subject
aud: Audience
exp: Expiry time (in epoch)
nbf: Not before time
iat: Issued at time (in epoch)
jti: JWT unique Identifier

Decoding JWT

Since each part of a JWT is a base64 url-encoded string, then you can easily decode it.

VS 2022 has a built-in support to decode any JWT while debugging

You can also use JWT.io to decode your JWT.

JWT.io also checks the signature if you put the secret used to sign the JWT

Decoding JWT in VS 2022

Decoding JWT in JWT.io

How to Generate JWT in .NET?

Adding the Microsoft.AspNetCore.Authentication.JwtBearer NuGet Package would include all the transitive dependencies to help you both create and validate the JWT.

using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;

var claimsIdentity = new ClaimsIdentity(new[] {
    new Claim(ClaimTypes.NameIdentifier, userId.ToString())
});

var key = Convert.FromBase64String(
    "TXlTdXBlclNlY3VyZUJhc2U2NEVuY29kZWRTZWNyZXRLZXk=");

var signingCredentials = new SigningCredentials(
        new SymmetricSecurityKey(key),
        SecurityAlgorithms.HmacSha256Signature
    );

var tokenDescriptor = new SecurityTokenDescriptor
{
    Subject = claimsIdentity,
    Issuer = "http://codingsonata.com",
    Audience = "http://codingsonata.com",
    Expires = DateTime.Now.AddMinutes(15),
    SigningCredentials = signingCredentials,

};

var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateToken(tokenDescriptor);
var token = tokenHandler.WriteToken(securityToken);

using Microsoft.IdentityModel.Tokens;

using System.IdentityModel.Tokens.Jwt;

using System.Security.Claims;

var claimsIdentity = new ClaimsIdentity(new[] {

new Claim(ClaimTypes.NameIdentifier, userId.ToString())

});

var key = Convert.FromBase64String(

"TXlTdXBlclNlY3VyZUJhc2U2NEVuY29kZWRTZWNyZXRLZXk=");

var signingCredentials = new SigningCredentials(

new SymmetricSecurityKey(key),

SecurityAlgorithms.HmacSha256Signature

);

var tokenDescriptor = new SecurityTokenDescriptor

{

Subject = claimsIdentity,

Issuer = "http://codingsonata.com",

Audience = "http://codingsonata.com",

Expires = DateTime.Now.AddMinutes(15),

SigningCredentials = signingCredentials,

};

var tokenHandler = new JwtSecurityTokenHandler();

var securityToken = tokenHandler.CreateToken(tokenDescriptor);

var token = tokenHandler.WriteToken(securityToken);

Usually, you would need to generate a JWT within an ASP.NET Core web API in order to embed JWT authentication in it and therefore you can complement it with Role-based authorization with policies and requirements.

This is another topic that I will cover in another post.

Authentication Flow with JWT

Below is the standard workflow process for how JWT authentication happens between different parties client, server, and protected API.

JWT Best Practices

Store the secret key in a secure place (environment variable or a vault), don’t keep it in code or in source control

Always use HTTPS to prevent man-in-the-middle attacks (interception).

Do not store sensitive data in JWTs unless you encrypt them.

Set short expiry (exp), usually in few minutes time, like 15 minutes, and use refresh tokens for long sessions, where you can keep users logged in as long as they are active and don’t go idle for a few weeks. Refresh tokens are usually persisted on your backend storage, and they can be in any format, doesn’t have to be a JWT format.

On frontend, store JWTs in HTTP-only cookies, not localStorage, to avoid issues relate to XSS attacks. Use SameSite=strict for cookies to prevent CSRF.

Avoid using the none algorithm type for signing the JWT, unless you are totally sure the JWT is already verified.

Use asymmetric encryption algorithm (RSA) when your authentication server is not the same as the resource server.

If JWT creation and verification are happening in the same server, it would be fine using symmetric algorithm (HMAC) to sign and verify your JWT. An asymmetric algorithm, like RSA, uses both private key and public key, where the private key is used to sign the JWT, and the public key is used to verify it. While with HMAC, which is based on symmetric algorithm, it relies on a shared secret to both sign and verify the JWT. This introduces a potential security risk where if the secret was shared with an untrusted client or leaked, that client would be able to tamper the JWT and generate a new signed one, which compromises the process.

Validate essential claims like:

Final Thoughts

Using JWT tokens is a tamper-proof strategy to implement authentication and authorization for your modern applications in an effective way.

Always follow the best practices when building your security model of your application, and have it as part of your system designs.

Authentication and authorization are essential components and requirements that should be properly designed in order to guarantee proper delegating of access and repelling malicious users and bots from accessing your protected resources.

Using JWT, since it is stateless, self-contained, and tamper-proof, will enable you build secure, scalable, and robust services that would both satisfy your security requirements while eliminating future obstacles to distribute your services across different servers or locations.

References

Official website of JWT.io

Comprehensive documentation on JWT from Auth0

Configure JWT bearer authentication in ASP.NET Core

Secure Angular Site using JWT Authentication with ASP.NET Core Web API (this is in .NET 6 but the implementation is still valid)

Bonus

Enjoy this musical masterpiece from the great baroque era: