JSON Web Token
JWT is a format
It can be used for many purposes
ID Tokens are always JWTs
Access tokens can be JWTs
Refresh Tokens are "never" JWTs
Most often signed (JWS)
Can be encrypted (JWE)
Signed - JWS
Proves who issued the token
The prominent way for JWTs
Asymmetric signatures
Always whitelist algorithms allowed
Don't rely on signature verify contents as well
Audience
Issuer
Expiration
Encrypted - JWE
Keeps data confidential
Used in OpenID Connect
ID Tokens
User info responses
Not practical for access tokens
Opaque tokens are preferred to keep confidentiality
JWTs and Protocols
A JWT is not a protocol.
They can be used in different ways depending on protocols
They should not be used against the protocol's intention.
Example
Access tokens are for the API
They are issued to the client
The client should bot decode the access token
Last updated