Decoding a JWT Token

Verifying the integrity of a claim contained in a JWT Token

Praise Magidi avatar
Written by Praise Magidi
Updated over a week ago

Firstly, let's understand what a JWT Token really is and its use in a Synatic flow.


What is a JSON Web Token?

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained method to securely transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Signed tokens verify the integrity of the claims contained within them, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.


When to use JSON Web Tokens?

Synatic can use various authentication methods, as seen in the Security Scheme option of the API Builder, and the JSON Web Token is one of them.

Here are some scenarios where JSON Web Tokens are useful:

  • Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources permitted with that token. Single Sign-On is a feature that widely uses JWT because of its small overhead and its ease of use across different domains.

  • Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed, you are assured that the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.


What is the JSON Web Token structure?

In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:

  • Header

  • Payload

  • Signature

Therefore, a JWT token string typically looks like the following:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Each part is constructed as follows:

  • The Header is up to the first dot in the token string.

    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

  • The Payload is from the first dot up to the second dot in the token string.

    eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ

  • The Signature is from the second dot to the end of the token string.

    SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c


Decode a JWT Token using a Synatic flow

Let's create a Synatic flow and use it to decode a JWT Token string.

Now let's configure the Calculator step to decode the token programmatically.

  • Click the edit icon to open the Calculator step.

  • The JavaScript code processes the token as follows:

  1. let inputRecord=input.record;
    // Assigns the token value from the JSON record.

  2. const access_token = inputRecord.jwt_token;
    // Define the access_token reference value.

  3. const base64Payload = access_token.split('.')[1];
    // Separates and retrieves the JWT on the first period ('.').
    // [1] is the 2nd element of the three of the access_token array.
    // Assigns the reference value to base64Payload.

  4. const payload = createBuffer(base64Payload, 'base64');
    // This creates a Buffer in JavaScript and assigns the Base64 value.
    // The buffer provides a way of handling streams of binary data.

  5. const jwt_contents = JSON.parse(payload.toString());
    // Copies the buffer content into a string object.
    // Parses into a JSON object, to access the payload fields.

  6. inputRecord.jwt_decoded = jwt_contents;
    // Assigns the string contents to the decoded output value.

  7. return inputRecord;
    // Return the token value to the flow.


Test the Synatic flow

Let's test the flow logic for decoding the JWT Token.

  • Click the Play โ–ถ button in the flow, then add the JWT Token text.
    โ€‹

  • Click Test to execute the simulation.

    If the test is successful, the decoded token will show in the Debug Data dialog, where you can verify the integrity of the issuer and the signature.
    โ€‹

In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned. Since tokens are credentials, great care must be taken to prevent security issues.
๐Ÿ“ In general, you should not keep tokens longer than required.


Useful Information

If you want to read more about JSON Web Tokens and start using them to perform authentication in your Synatic flows, go to the JWT Token page.

Did this answer your question?