JSON Web Token (JWT)

JWT is introduced on https://en.wikipedia.org/wiki/JSON_Web_Token as follows:

JSON Web Token (JWT, sometimes pronounced /dʒɒt/, the same as the English word "jot”[1]) is an Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The tokens are signed either using a private secret or a public/private key.

The JWT is sent in the HTTP Header Authorization. An example looks like this:

Authorization
Bearer eyJhbGciOiJIUzI1NiJ9.eyJwcmluY2lwYWwiOiJmMTY3ODNjMy1jYjBjLTM3MjctOTVjMS0wNzUyZjkzOGY3YTciLCJleHBpcmVzIjoxNjA0OTM5OTk4OTE4LCJwcmluY2lwYWxOYW1lIjoiYWRtaW4iLCJzZXNzaW9uIjoiMWQ0NjFhYWMtNzQ5Ny00Y2Q2LThmZTMtODBhYTVhMWVlMjJmIiwibGFuZyI6ImRlIiwiYWNjb3VudHMiOnsiOTc2OWE4ZTctYzNjNi00ZWZiLWJiMzctZDEzYjcyZjM0OTUzIjp7Im93bmVyIjp0cnVlLCJ0eXBlIjoiUFJPSkVDVCIsInJvbGUiOiJhZG1pbiJ9fX0.t3Tdf23q4K_4SMFgM9dS_jAAfBW_53EQnfCVN8z4Wgo

The token can be decoded with the JWT debugger at https://jwt.io:

// header
{
  "alg": "HS256"
}
// payload:
{
  "principal": "f16783c3-cb0c-3727-95c1-0752f938f7a7",
  "expires": 1604939998918,
  "principalName": "admin",
  "session": "1d461aac-7497-4cd6-8fe3-80aa5a1ee22f",
  "lang": "de",
  "accounts": {
    "9769a8e7-c3c6-4efb-bb37-d13b72f34953": {
      "owner": true,
      "type": "PROJECT",
      "role": "admin"
    }
  }
}
// signature:
// N/A

This, means the given JWT is for the user admin, valid in the account with the UUID 9769a8e7-c3c6-4efb-bb37-d13b72f34953, login in with the role admin.

This token is sent with each API request, s.th. the respective micro service can authorize the request.

The token is obtained by authenticating and then authorizing against the authentication microservice. 

Obtaining a temporary JWT

Within your browser's debugger, select any request after logging in. Open the Headers tab and scroll all the way to the bottom to the section Request Headers.

The attribute Authorization contains the JWT: