JWT token

Why do we need a JWT token?

Client with an SDK gets a challenge from the BotProtection machine and then sends it to your backend server in an JWT token. In this way you can verify that challenge was not skipped and check BotProtection bot score with a label (bot or not a bot).

What is a JWT token?

JWT or JSON Web Token is an Internet standard for creating JSON-based access tokens that assert some number of claims.

For example, a server could generate a token that has the claim "logged in as admin" and provide that to a client. The client could then use that token to prove that it is logged in as admin. The tokens are signed by one party's private key (usually the server's), so that both parties are able to verify that the token is legitimate. The tokens are designed to be compact, URL-safe, and usable especially in a web-browser single-sign-on (SSO) context. JWT claims can be typically used to pass identity of authenticated users between an identity provider and a service provider, or any other type of claims as required by business processes.

JWT relies on other JSON-based standards: JSON Web Signature and JSON Web Encryption.

Structure

Header

{

"alg" : "HS256",

"typ" : "JWT"

}

Identifies which algorithm is used to generate the signature

HS256 indicates that this token is signed using HMAC-SHA256.

Typical cryptographic algorithms used are HMAC with SHA-256 (HS256) and RSA signature with SHA-256 (RS256).

Payload

{

"challenge_id": "b5fbbb86-1c7e-4f78-bb8b-1a6f2f17b17d",

"result": 0.9494475560,

"iat": 1578597646, "exp": 1578597706

}

Contains a set of claims. The JWT specification defines seven Registered Claim Names which are the standard fields commonly included in tokens. Custom claims are usually also included, depending on the purpose of the token.

This example has the standard Issued At Time claim (iat) and the Expiration Time claim (exp). If exp time is less than the time token is checked, verification fails. challenge_id and result are custom fields which are used to get information about a passed challenge.

Signature

RSASHA256( base64urlEncoding(header)+ '.' + base64urlEncoding(payload), secret )

Securely validates the token. The signature is calculated by encoding the header and payload using Base64url Encoding and concatenating the two together with a period separator. That string is then run through the cryptographic algorithm specified in the header, in this case RSASHA256. The Base64url Encoding is similar to base64, but uses different non-alphanumeric characters and omits padding.

PreviousInstallationNextPython

Last updated

Was this helpful?