If you are interested about token based authentication then this blog is for you. In this blog mainly i will target token based / stateless authentication and how can we achieve using JWT (Json Web Token).

Stateless / Token based Authentication

Stateless authentication means, at server side we don’t maintain the state of a user. The server is completely unaware of who sends the request as we don’t maintain the state. We can achieve the stateless authentication by using JWT (JSON Web Token). But before jumping into JWT and token based authentication, Let’s have a look at the way authentication has been done in the past using session cookies.

Stateful Authenticationstatufull


How it Works?

The browser makes a POST request to the server that contains the user’s identification and password. The server responds with a cookie, which is set on the user’s browser, and includes a session ID to identify the user.On every subsequent request, the server needs to find that session and deserialize it, because user data is stored on the server.

Drawbacks of Stateful Authentication

Hard to scale: The server needs to create a session for a user and persist it somewhere on the server. If we have a distributed system, we have to make sure that session is shared between multiple nodes.

Cross-origin resource sharing (CORS): When using AJAX calls to fetch a resource from another domain (cross-origin) we could run into problems with forbidden requests because, by default, HTTP requests don’t include cookies on cross-origin requests.

Coupling with the web framework: When using server-based authentication we are tied to our framework’s authentication scheme. It is really hard, or even impossible, to share session data between different web frameworks written in different programming languages.

Stateless / Tokenbased Authentication

In stateless authentication there is no need to store user information in the session. We can easily use the same token for fetching a secure resource from a domain other than the one we are logged in to.


How it Works?

A browser or mobile client makes a request to the authentication server containing user login information. The authentication server generates a new JWT access token and returns it to the client. And client needs to store that token and send on every request to a restricted resource in the Authorization header. Server then validates the token and if it’s valid, returns the secure resource to the client.

Advantages of Token-Based Authentication

Stateless, easier to scale: The token contains all the information to identify the user, eliminating the need for the session state. If we use a load balancer, we can pass the user to any server, instead of being bound to the same server we logged in on.

Reusability: We can have many separate servers, running on multiple platforms and domains, reusing the same token for authenticating the user. It is easy to build an application that shares permissions with another application.

Performance: There is no server side lookup to find and deserialize the session on each request. The only thing we have to do is validate the token and parse its content.

What is a JSON Web Token?

JSON Web Token (JWT) is a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

Compact: Because of its smaller size, JWTs can be sent through an URL, POST parameter, or inside an HTTP header.

Self-contained: The payload contains the required information about the user, So we can reduce some of the DB calls.

Structure of a JSON Web Token

JSON Web Tokens consist of three parts separated by dots (.), which are

  • Header
  • Payload
  • Signature



JSON Web Token example



The header typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used, such as HMAC SHA256 or RSA.

Payload (Claims)

The second part of the token is the payload, which contains the claims. There are mainly two types of claims: reserved and private claims.

Reserved claims: These is a set of predefined claims which are not mandatory but recommended, to provide a set of useful claims. Some of them are: iss (issuer), exp (expiration time), sub(subject), aud (audience), and others.

Private claims: These are the custom claims created to share information between parties.

A sample payload could be


To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

Security and Encryption with JWT

If we want to put some sensitive information in JWT token, to protect that sensitive information we can encrypt the JWT payload itself using the JSON Web Encryption (JWE) specification.

Implementation blog

Implementation of stateless / tokenbased authentication using JWT, Nginx+Lua, Memcached