Last updated 2022-10-22 09:46:58

The Difference Between A JWT And A Bearer Token

Table of contents

What are Access Tokens?

Online systems usually give different levels of access to different groups of people. To get access to the system, a user has to provide special information. E.g. Username/password combo.

This is information that only they possess. Once a user gains access to a system, most systems return a short-lived token that the user or system can use for subsequent requests. This helps establish a session between the system and the user.

This token is known as an Access Token and exists in many forms.

The structure of the token depends on how and what the system needs to verify a user within the session period.

These tokens are mostly passed in the header of an HTTP [↗] request.

What is JWT?

A JSON Web Token JWT [↗] is an example of an Access Token.

Once a user authenticates against a server, they are provided an alphanumeric string that looks something like this:

$ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

This string can be decoded by anyone and contains information that the server needs to verify a user. E.g.

01: { 02: "alg": "HS256", 03: "typ": "JWT", 04: "sub": "1234567890", 05: "name": "John Doe", 06: "iat": 1516239022 07: }

Although anyone can decode the contents of a JWT string, only the server can generate a valid one.

This makes it safe even if the JWT token gets leaked. Authentication is usually required when the token is not used for a long time or expires, so the user will have to re-authenticate.

What is a Bearer Token?

A bearer token is an Access Token passed to a server using the HTTP Authorization header.

It typically looks something like this:

01: Authorization: Bearer token123

The actual token within a Bearer Token can be any series of characters that the server can decode. This means a JWT string can be passed as Bearer Token.

Bearer tokens are mostly used in OAuth [↗] authentications.

Here is another article you might like 😊 "What is An Asynchronous (Async) API?"