What are the three parts of a JWT? How are they signed and revoked?
A JSON Web Token (JWT) is a compact, self-contained token format for transmitting claims between parties. It consists of three base64url-encoded parts separated by dots: header.payload.signature.
The header is a JSON object specifying the token type and signing algorithm: `{"alg": "HS256", "typ": "JWT"}`. Common algorithms: HS256 (HMAC-SHA256, symmetric key), RS256 (RSA-SHA256, asymmetric key pair), ES256 (ECDSA, asymmetric). The algorithm choice has security implications.
The payload contains claims — key-value assertions about the subject. Registered claims are standardized: `iss` (issuer), `sub` (subject/user ID), `exp` (expiration timestamp), `iat` (issued-at), `aud` (audience — which service this token is for). Custom claims add application-specific data: roles, permissions, user metadata. The payload is base64url-encoded but not encrypted — anyone can decode and read it. Never store sensitive data (passwords, PII) in JWT payloads unless the token is also encrypted (a JWE).
The signature is computed over the encoded header and payload: `HMAC-SHA256(base64url(header) + '.' + base64url(payload), secret)` for HS256. The server verifies the signature on each request to ensure the token hasn't been tampered with. If any part of the header or payload changes, the signature no longer matches.
For signing algorithm selection: HS256 uses one shared secret — simple but both issuer and verifier must know the secret, which is risky if multiple services verify tokens. RS256/ES256 use private key for signing (auth server only) and public key for verification (any service) — better for distributed systems. A critical vulnerability to know: the `alg: none` attack — early JWT libraries accepted tokens with algorithm `none` and no signature; always explicitly validate the expected algorithm.
Revocation is JWT's hard problem. JWTs are stateless — validity is proven by signature alone, with no server-side lookup. A revoked JWT remains valid until it expires unless you add state. Common patterns: short expiry (5-15 minutes) plus refresh tokens; a token blocklist/denylist (store revoked JTI claims in Redis — brings back state but bounded to revoked tokens only); or opaque tokens for critical paths where immediate revocation is required. Logout in JWT-based systems is often a client-side delete (remove the token from storage) plus server-side blocklist of the specific token if revocation must be immediate.
Correctly names and explains all three parts, explains that the payload is readable (not encrypted), describes HMAC vs RSA signing and the verification mechanism.
All of the above plus: explains the alg:none vulnerability, discusses the revocation problem with concrete solutions (short expiry + refresh, JTI blocklist), distinguishes HS256 vs RS256 tradeoffs for distributed systems, and notes JWE for encrypted payloads.
Reading the answer is step one. Explaining it unprompted — under interview pressure — is what actually matters. Get AI-graded feedback on your answer with follow-up probes on your weak points.
Get Graded — Free Assessment