What's the difference between JWTs and Bearer Token?

laoqiren picture laoqiren · Nov 2, 2016 · Viewed 65.4k times · Source

I'm learning something about Authorization like Basic, Digest, OAuth2.0, JWTs, and Bearer Token.

Now I have a question.

You know the JWTs is being used as an Access_Token in the OAuth2.0 standard. JWTs appears at RFC 7519, and Bearer Token is at RFC 6750 .

For example, the Bearer:

Authorization: Bearer <token>

I used to send token to server by AJAX or add token to the query string of the url. I know that a token can also be sent by adding it to a request header. Does that mean that token should be added to Authorization Bearer header?

Could you please tell me the relationship between JWTs and Bearer Token? Thanks a lot.

Answer

rmharrison picture rmharrison · Nov 2, 2016

Short answer

JWTs are a convenient way to encode and verify claims.

A Bearer token is just string, potentially arbitrary, that is used for authorization.

Context (story time)

A few years ago, before the JWT revolution, a <token> was just a string with no intrinsic meaning, e.g. 2pWS6RQmdZpE0TQ93X. That token was then looked-up in a database, which held the claims for that token. The downside of this approach is that DB access (or a cache) is required everytime the token is used.

JWTs encode and verify (via signing) their own claims. This allows folks to issue short-lived JWTs that are stateless (read: self-contained, don't depend on anybody else). They do not need to hit the DB. This reduces DB load and simplifies application architecture because only the service that issues the JWTs needs to worry about hitting the DB/persistence layer (the refresh_token you've probably come across).