A JSON Web Token or JWT is an open, self-contained, secure way of sharing security information between clients and servers. If you obtained a JWT, that is enough, simply send it in each request to the NextChapter API. But it is still good to know what a JWT looks like.
The global structure
A JWT is, in a nutshell, three JSON objects, concatenated together and encoded as a base64 string. You can take any generated JWT and read them using jwt.io.
The three objects are:
- The header, this contains information about how the token is signed. It's only really useful for the resource servers to know and can be safely ignored when parsing it.
- The payload, this contains all the claims. Included in the claims is some information about the client, and also which scopes have been granted access to. Read more about scopes.
- The signature, this contains a signed copy of the payload, using the method noted in the header. This is used by the resource servers to verify that the token has been created by the Authorization Server.