This Lesson is for Members

Subscribe today and get access to all lessons! Plus direct HD download for offline use, enhances transcripts, member comment forums, and iTunes "podcast" RSS feed. Level up your skills now!

Unlock This Lesson

Already subscribed? Sign In


    Creating JWTs (JSON Web Tokens) in Node

    Kassandra PerchKassandra Perch

    In this lesson we will look at all of the pieces that combine together to create a JWT (j AWT) or JSON Web Token. You will use node to create a JWT, and then verify it in the JWT debugger.



    Become a Member to view code

    You must be a Member to view code

    Access all courses and lessons, track your progress, gain confidence and expertise.

    Become a Member
    and unlock code for this lesson


    00:06 Hello and welcome to our lesson on JSON Web Tokens also known as JWTs. What we're going to do is create a JWT using the node command line. The way I'm going to do this is by creating each of the three pieces of a JWT -- the header, the payload, and the key -- sign the key, and then show you all how to debug a JWT.

    00:29 First, let's start with our header. Our header is a JSON object with two claims. Claims are a fancy word for JSON key value pairs, and the two we're putting here are typ which stands for type, and alg which stands for algorithm which is what we'll use to sign the key.

    00:49 Now that we have our header object, we need to turn it into a base64 encoded string. We're going to do that by placing it in a buffer with JSON.stringify, our header, and then to string that bugger with base64.

    01:06 We have our header. What we're going to do is create our payload. When I talk about claims, I mentioned that there are fancy words for JSON key pairs, but there are several types of claims.

    01:21 For instance, there are public claims which are registered in the specification in under a registry, there are reserved claims like iat which stands for issued at which are part of the specification, or issuer also part of the specification, and then there's private claims which are claims you can write yourself. Things like user name.

    01:43 These can have more than three characters whereas public and reserve tend to have three characters. Now that we have our payload, we're going to turn it into a base64 encoded string just like we did with the previous one.

    02:02 Now that we have our header, and our payload, let's talk about creating the key. There's a little bit more to creating the key than the other two items. What we need to do is first create our base key which is our header. Can catenate it with a period, can catenate it with our payload.

    02:22 We need to sign the key. To do that, we're going to use the crypto library for node. We're going to create a signature, and it'll be a crypto.createHmac. The first thing we're going to pass it is sha256 which is the algorithm we mentioned in the header. The second thing we're going to pass it is our secret.

    02:44 This secret should be shared between the server, and whichever parties you want to authenticate the token with because that's how they'll know that the identity is verified. Now that we have our signature Hmac, we're going to update it with our key.

    03:01 Finally, to create the finalized version of our key, we're going to digest this signature with the format of base64. We have all of the pieces of our JSON Web token, so let's assemble it. All the JSON token is, is our header, plus the period, plus the payload, plus another period, plus the signed digested key.

    03:30 Let's take a look, and now we've got our JSON token. I'm going to copy that, and I'm going to next show you how to debug this JSON Web token using the website. This is the website. If you scroll down just a little bit, you'll find the debugger. What we're going to do is we're going to paste our newly made JWT into this debugger.

    03:56 As you can see on the right, it decodes all the base64 encoded information, and shows it here in the header, and payload. It talks a little bit about our signature. However, as you can see, it says invalid signature. That's because the secret here is not the secret we used to sign our key.

    04:12 I'm going to change it, and as you can see, it now says signature verified. That's how you make sure that the JWTs that are sent to your server are from who they say they are, is by verifying that the key was signed in the correct way.

    04:26 You can also sign keys asymmetrically with RSA 56 public private key pairs. To learn even more about JWTs, I highly recommend the website. We have a lot of information there, and you can definitely read it a little more easily than the specification. Though I would definitely recommend reading RFC 7519 to learn more.

    04:49 Thanks for listening.