FerriskeyWhat is a JWT?
A JSON Web Token (JWT, usually pronounced “jot”) is a compact, URL-safe way to carry signed claims between two parties. If you have the issuer’s public key, you can verify a JWT yourself. No network call needed.
JWTs aren’t a protocol. They’re a format. OAuth2 and OIDC happen to use them, but they show up in plenty of other places too.
What “signed” means here
The issuer signs the token. Anyone with the issuer’s public key can verify the signature. If verification passes, you know two things:
- The claims were generated by whoever holds the private key (i.e., the issuer).
- The token hasn’t been tampered with since.
That’s enough to trust the claims at face value, for as long as the token is valid.
A JWT in the wild
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3OD
kwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNzM2Mzc2NDAwfQ.SfXPyZbR2X4
...Three Base64URL-encoded parts joined by dots:
header.payload.signatureThe first two are JSON. The signature is binary, encoded into Base64URL.
Why JWTs are everywhere
Two properties did the heavy lifting. JWTs are self-contained: everything the recipient needs is in the token. And they validate without a database lookup, since cryptography alone proves trust. RFC 7519 nailed down the format, and now there’s a library for it in every language.
For high-traffic APIs, the statelessness is the killer feature. A million requests per second can all be authenticated locally, with no shared session store breathing down anyone’s neck.
What JWTs are not
- Not encrypted by default. A JWT’s payload is just Base64URL. Anyone can decode and read it. Don’t put secrets in a JWT unless you also use JWE (encrypted JWTs).
- Not session cookies. A JWT cannot be “destroyed.” It is valid until
exp. Treat that as a feature (statelessness) or a liability (no instant revocation) depending on your needs. - Not a permission system. A JWT carries claims. What those claims mean is up to the resource server. Authorization decisions still belong to your application code.
JWT vs opaque tokens
A short side-by-side:
| JWT | Opaque token | |
|---|---|---|
| Format | Base64URL-encoded JSON | Random string |
| Validate by | Verifying signature locally | Calling introspection endpoint |
| Revocable before exp? | No (without extra machinery) | Yes |
| Carries claims | Yes, readable by anyone | No, server-side only |
| Network calls per validation | 0 | 1 |
Most OIDC providers, including FerrisKey, issue JWTs by default.
A mental model
A JWT is a tamper-evident sticker on a claim. You can read the claim through the sticker (no encryption). You cannot peel and re-stick it (the signature would break). And the sticker has an expiration date printed on it.
Where to read next
Anatomy
Header, payload, signature, broken down field by field.
Claims
Standard claims vs. custom claims, and how to use each.
In FerrisKey
FerrisKey issues JWTs as access tokens and ID Tokens. The signing keys for each realm are exposed at the JWKS endpoint listed in the realm’s discovery document.