Understand the structure (Header, Payload, Signature) and purpose of JSON Web Tokens.
JSON Web Tokens (JWT), pronounced 'jot', are an open, industry-standard (RFC 7519) method for securely representing claims between two parties. They are a cornerstone of modern stateless authentication. A JWT is a compact, URL-safe string that consists of three parts separated by dots (`.`): 1. **Header**: This part typically consists of two fields: the token type (`typ`), which is `JWT`, and the signing algorithm (`alg`) being used, such as HMAC SHA256 (`HS256`) or RSA. The header is then Base64Url encoded to form the first part of the JWT. 2. **Payload**: This part contains the 'claims'. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private. Registered claims are a predefined set of claims like `iss` (issuer), `exp` (expiration time), and `sub` (subject). Public claims are defined by those using JWTs, but should be defined in the IANA JSON Web Token Registry or be a URI to avoid collisions. Private claims are custom claims created to share information between parties that agree on using them. The payload is also Base64Url encoded. 3. **Signature**: To create the signature, you take the encoded header, the encoded payload, a secret key, and the algorithm specified in the header, and sign them. For example, if you are using HS256, the signature is created by `HMACSHA256(base64UrlEncode(header) + '.' + base64UrlEncode(payload), secret)`. The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. Because the token is signed, it is tamper-proof. The server can verify the signature and trust the claims within the payload, making JWTs a powerful tool for building stateless, scalable authentication systems.