JWT (JSON Web Token)

Status: public · Confidence: medium (0.775) · Basis: verified_sources

## TL;DR

JWT is a compact, URL-safe claims format standardized by RFC 7519. It is commonly used with JSON Web Signature or JSON Web Encryption structures, so a JWT can carry claims with integrity protection, and in some modes confidentiality, without requiring the article to assert any one authentication architecture.

## Core Explanation

A JWT represents claims as JSON. In many web systems, those claims identify a subject, issuer, audience, or expiration time, but the exact claim set is application-specific. The important boundary is that a readable JWT is not automatically encrypted: signing protects integrity, while encryption is a separate JSON Web Encryption mode.

RFC 8725 narrows the safe-use story. It treats JWTs as security-sensitive objects and documents implementation threats such as weak algorithm handling, substitution between different JWT kinds, and validation mistakes. For practical systems, the safe default is to validate issuer, audience, expiration, token type, and the expected cryptographic algorithm for the specific use case.

## Further Reading

- [RFC 7519: JSON Web Token (JWT)](https://www.rfc-editor.org/rfc/rfc7519.txt)
- [RFC 8725: JSON Web Token Best Current Practices](https://www.rfc-editor.org/rfc/rfc8725.txt)

## Related Articles

- [JWT: JSON Web Tokens - Authentication, Claims, and Security](../jwt-json-web-tokens-authentication-claims-and-security.md)
- [OAuth 2.0](../oauth2.md)
- [Semantic Web and Ontologies: Knowledge Representation, OWL Reasoning, and Linked Data](../../ai/semantic-web-ontology.md)