Search tools and guides ⌘K
Semicolony ELI5 · comic

JWTs (JSON Web Tokens).

A festival wristband: checked at a glance, with no call back to the box office.

  1. One check-in, please.
    SIGN IN wristband
    1

    You sign in once. In return you get a signed token — your wristband for the visit.

  2. alg who · exp ·sig· header claims signature
    2

    The token has three parts: who you are, some claims, and a signature.

  3. Wristband? In you go.
    3

    Each later request just shows the token. The server trusts it on sight — no lookup.

  4. who: bit edited signature no longer matches
    4

    The signature makes it tamper-evident: change one letter and it stops matching.

  5. name: bit · role: user no secrets!
    5

    Anyone can read what is on it — so never put secrets in a token.

  6. Expires at midnight.
    valid token expires soon
    6

    It cannot easily be cancelled mid-visit, so tokens are kept short-lived.

Sign in once, then get waved through on sight — and what that trades away.
Semicolony semicolony.dev/eli5/jwt/comic
← All ELI5 explainers