Search code examples
jsonauthenticationjwttokensession-cookies

Why Base64 is used in JWTs?


I am trying to understand JSON Web Tokens and got to learn that Base64 is the encoding used in them. As base64 can be decoded easily, my question is why to use them. Why not use a one-way hash function to generate the token?


Solution

  • JSON Web Token (JWT) is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

    In fact, JWT is a generic name for the following types of token:

    • JSON Web Signature (JWS): The payload is encoded and signed so the integrity of the claims can be verified.

    • JSON Web Encryption (JWE): They payload is encrypted so the claims are hidden from other parties.

    As base64 can be decoded easily, my question is why to use them.

    JWT uses Base64url, which is slightly different from Base64.

    One of possible reasons why Base64 is used: it's a very popular encoding format and it's very easy to use it in most of programming languages. Also, Base64url is URL-safe, so the tokens could be sent in the URL.

    Why not use a one-way hash function to generate the token?

    It defeats the purpose of signed JWT, as the receiver wouldn't be able to parse the content of the token.