JSON Web Tokens (JWT) are lightweight, cryptographically signed tokens primarily used to authorize requests against modern REST APIs and microservices. Because the server can mathematically verify a JWT's signature locally, it rarely needs to query a database to authenticate a request.
SAML (Security Assertion Markup Language) is a robust, XML-based standard primarily used for Enterprise Single Sign-On (SSO) systems. It requires heavier back-and-forth parsing and is highly secure, but JWT's JSON format makes it significantly easier to transmit across HTTP headers in web and mobile applications.
The Authorization Code flow securely exchanges a temporary code for an Access Token (JWT).
graph TD
User([Resource Owner])
Client[Client App]
AuthServer[(Auth Server)]
API[(API Server)]
User -->|1. Clicks Login| Client
Client -->|2. Requests Auth Code| AuthServer
AuthServer -.->|3. Prompts for Consent| User
User -.->|4. Grants Consent| AuthServer
AuthServer -->|5. Returns Auth Code| Client
Client -->|6. Exchanges Code for Tokens| AuthServer
AuthServer -->|7. Returns Access Token JWT| Client
Client -->|8. API Call with Bearer JWT| API
API -->|9. Validates JWT & Returns Data| Client
A JSON Web Token consists of three parts separated by dots, each Base64Url encoded.
graph LR
JWT[Encoded JWT Token]
Header[Header: Algorithm & Type]
Payload[Payload: Data & Claims]
Signature[Signature: Verification]
JWT -->|Part 1| Header
JWT -->|Part 2| Payload
JWT -->|Part 3| Signature
style Header fill:#df3852,stroke:#fff,stroke-width:2px,color:#fff
style Payload fill:#d72199,stroke:#fff,stroke-width:2px,color:#fff
style Signature fill:#4d7dff,stroke:#fff,stroke-width:2px,color:#fff