JWT Explained In Under 10 Minutes (JSON Web Tokens)

preview_player
Показать описание
JWT (JSON Web Tokens) explained in under 10 minutes! Authentication, authorization, refresh tokens, statelessness, and more.

Four years ago, I published my first-ever article on Medium, titled "JSON Web Tokens - The only explanation you'll ever need". Tens of thousands of developers have read it, so I decided to make a video version. Enjoy!

🔗 Socials:

Timestamps:
00:00 Intro
00:21 Authentication VS Authorization
01:34 The Structure of a JWT
02:42 Signature
04:05 JWTs Are Encoded, NOT Encrypted!
04:45 JWTs Are Stateless
05:49 Short Lived Tokens
07:32 Refresh Token Rotation
08:13 Recap

📚 Resources

  1. Ariel Weinberger
  2. what is jwt
  3. json web token
  4. jwt
  5. authentication and authorization
  6. web authentication methods
Рекомендации по теме
JWT Explained In 0:09:18

JWT Explained In Under 10 Minutes (JSON Web Tokens)

What Is JWT 0:14:53

What Is JWT and Why Should You Use JWT

#35 What is 0:14:47

#35 What is JWT and Why

Understanding JSON Web 0:08:31

Understanding JSON Web Tokens | JWT Explanation from Tech with Tim

Don’t Use JWT 0:01:00

Don’t Use JWT for Login Sessions

JWT Explained in 0:11:38

JWT Explained in Depth | CyberSecurityTv

JWT Authentication Explained 0:07:52

JWT Authentication Explained

Node Auth Tutorial 0:07:17

Node Auth Tutorial (JWT) #10 - JSON Web Tokens (theory)

JSON Web Token 0:11:47

JSON Web Token (JWT) Explained in Bangla | Access & Refresh Token | Secure Authentication Tutori...

Learn JWT in 0:10:20

Learn JWT in 10 Minutes with Express, Node, and Cookie Parser

Structure of JWT 0:00:54

Structure of JWT token || How is JWT token structured?

What is JWT 0:05:13

What is JWT ? JSON Web Token Explained

26. JWT Explained 0:49:27

26. JWT Explained | JWT vs SessionID | JSON Web Token | Security Challenges with JWT & its Handl...

How Json Web 0:06:22

How Json Web Token (JWT) Authentication Works Explained.

How to use 0:01:00

How to use a JWT Token to get data from an API with Javascript

What is a 0:01:00

What is a JWT? 🆔⌛

Learn JWT Series 0:12:06

Learn JWT Series - JWT in 10 minutes(almost)

JWT as session 0:00:59

JWT as session token || How JWT is used to manage HTTP session?

What is JWT? 0:14:53

What is JWT? JSON Web Tokens Explained (Java Brains)

How Does JWT 0:11:27

How Does JWT Authentication Work? (JSON Web Token) | Tokens vs Sessions

Explaining JSON Web 0:01:00

Explaining JSON Web Token (JWT) to a 10-year-old kid.

What is JWT 0:10:48

What is JWT authentication? | When to use JSON Web Tokens ? | Explained

Decoding JWT JSON 0:00:24

Decoding JWT JSON Web Tokens A Comprehensive Guide to Secure Data Exchange #js #node #nodejs #jsx #c

JWT: Top 10 0:01:49

JWT: Top 10 Recommendations

Комментарии
Автор

3:47 Shouldn't it be the secret + header + payload?

kgroombr
Автор

Thanks for the super clear explanation.

I have question related to Refresh Tokens being stolen: 08:13
"The first time legit user uses the refresh token, that refresh token is not valid anymore."

But here is a catch, WHAT IF the malicious user uses the refresh token to get a new pair of tokens before the legit user?

That means, after some time when legit user tries to use refresh token, he will not be allowed to do so, BUT malicious user will have all the access.

What do you think about that?

mhmdev
Автор

I'm kinda lost with the refresh token thing, the refresh token lives in the database right? so it defeats the purpose of JWT which is being Stateless (not need to query the db for authorization)
*in the scenario where you can't have cookies e.g. mobile or desktop apps

ricko
Автор

Amazing production quality. May I ask how did you create the animated portions of the video like the text and everything?

Diego_Cabrera
Автор

Do I need to store Refresh token in user's cookies??

jitxhere
Автор

I have watched the video multiple times and Istill don't understand it completely

How is the JWT stateless

Please make a detailed video showing how the token is generated on server and how it goes to cleint and how does the whole process work

AjayKumar-cqmz
Автор

Security reasons behind token expiration and rotation are clear, but not their mitigation. If, has an attacker, I have access to both tokens, then I am on equal footing with the legit user who also has both tokens. I could be the one getting the new refresh token / auth token as part of my requests even, UNLESS there's something else that you've neglected to mention, like a tie-in to the user's IP / Mac Address / etc.

Also, you keep saying that the token is stateless but don't explain WHAT IT MEANS. Stateless is an incredibly loaded term in IT. I understood what you meant through the given example, but you should definitely pay more attention to such details.

thewaver
Автор

A very thorough, yet succint explaination of JWT. Thanks, Ariel.

{2024-04-21}

Pareshbpatel