JSON Web Token
JWTs are the token format for OIDC ID tokens and many OAuth implementations. Understanding the structure and security tradeoffs is essential.
What It Defines
Defines the JWT format: Base64url-encoded header, payload (claims), and signature. Common claims: iss, sub, aud, exp, iat. Used as OAuth access tokens, OIDC ID tokens, and session tokens.
Canonical (Normative)
Convenient (Practical)
The canonical publication point for finalized RFCs. If a protocol is standardized as an RFC, the RFC Editor text is the normative final reference. Published by the IETF, IRTF, IAB, and independent stream.
Related Specs
Sign-in with Google/Apple/GitHub all use OIDC. If your app authenticates users via a third party, you're using OIDC whether you know it or not.
When your app verifies a JWT from an identity provider, it fetches the public key as a JWK from the OIDC discovery endpoint.
Every API that accepts an OAuth access token uses bearer token transport. Know the header format and the security implications of each transport method.