JWT (JSON Web Token) (JWT)
A compact, URL-safe token format for securely transmitting claims between parties. Widely used for CDN edge authentication because tokens can be validated without calling back to the origin.
Full Explanation
A JWT is a self-contained token with three parts separated by dots: header.payload.signature. The header specifies the algorithm (like HS256 or RS256). The payload contains claims (user ID, expiry time, permissions). The signature proves the token hasn't been tampered with. Everything is base64url-encoded, making it safe to pass in URLs, headers, or cookies.
For CDNs, JWTs are powerful because they enable stateless authentication at the edge. When a user requests a protected resource, the CDN edge can validate the JWT's signature and check the expiry without making any request to the origin. The edge just needs the signing key (for HMAC) or the public key (for RSA/ECDSA). This means authentication adds microseconds of latency instead of a full origin round trip.
Common CDN use cases for JWTs: signed URLs for premium content (video streams, downloads), API authentication at the edge, and access control for protected pages. Akamai's EdgeAuth, CloudFront's signed URLs, and Cloudflare's Access product all use JWT-like token structures under the hood.
The signature algorithm choice matters for edge deployment. HMAC (HS256) uses a shared secret, which is fast but means every edge server needs the secret. RSA (RS256) or ECDSA (ES256) use asymmetric keys: the origin signs with a private key, and the edge validates with the public key. Asymmetric is more secure for distributed systems because compromising an edge server only exposes the public key, not the signing key.
JWT gotchas that matter for CDNs: tokens are not encrypted by default. The payload is just base64-encoded, not encrypted. Anyone who intercepts the token can read the claims. Don't put sensitive data in the payload unless you use JWE (JSON Web Encryption). Also, JWTs can't be revoked without a blocklist (which reintroduces state). Short expiry times (5-15 minutes) with refresh tokens are the standard workaround.
Token size affects performance. A typical JWT is 200-500 bytes. If you're passing it in a cookie on every request, that's overhead on every single HTTP request. For API tokens passed in the Authorization header, it only affects API calls. Keep claims minimal to keep token size down.
Examples
# JWT structure (three base64url parts separated by dots)
# eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIxMjM0In0.signature
# Decode JWT payload (no verification)
echo 'eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4ifQ' | \
base64 -d 2>/dev/null
# {"sub":"1234567890","name":"John"}
# Validate JWT in a Cloudflare Worker
async function validateJWT(token, publicKey) {
const [headerB64, payloadB64, signatureB64] = token.split('.');
const payload = JSON.parse(atob(payloadB64));
// Check expiry
if (payload.exp < Date.now() / 1000) {
return null; // expired
}
// Verify signature with Web Crypto API
const key = await crypto.subtle.importKey(
'jwk', publicKey,
{ name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },
false, ['verify']
);
const valid = await crypto.subtle.verify(
'RSASSA-PKCS1-v1_5', key,
base64urlDecode(signatureB64),
new TextEncoder().encode(headerB64 + '.' + payloadB64)
);
return valid ? payload : null;
}
# Nginx JWT validation (with njs module)
js_import jwt from conf.d/jwt.js;
js_set $jwt_valid jwt.validate;
server {
location /api/ {
if ($jwt_valid = "0") {
return 401;
}
proxy_pass http://backend;
}
}
# Generate a JWT for testing (Python)
python3 -c "
import jwt, time
token = jwt.encode(
{'sub': 'user123', 'exp': int(time.time()) + 3600},
'secret', algorithm='HS256'
)
print(token)
"Frequently Asked Questions
A compact, URL-safe token format for securely transmitting claims between parties. Widely used for CDN edge authentication because tokens can be validated without calling back to the origin.
# JWT structure (three base64url parts separated by dots)
# eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIxMjM0In0.signature
# Decode JWT payload (no verification)
echo 'eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4ifQ' | \
base64 -d 2>/dev/null
# {"sub":"1234567890","name":"John"}
# Validate JWT in a Cloudflare Worker
async function validateJWT(token, publicKey) {
const [headerB64, payloadB64, signatureB64] = token.split('.');
const payload = JSON.parse(atob(payloadB64));
// Check expiry
if (payload.exp < Date.now() / 1000) {
return null; // expired
}
// Verify signature with Web Crypto API
const key = await crypto.subtle.importKey(
'jwk', publicKey,
{ name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },
false, ['verify']
);
const valid = await crypto.subtle.verify(
'RSASSA-PKCS1-v1_5', key,
base64urlDecode(signatureB64),
new TextEncoder().encode(headerB64 + '.' + payloadB64)
);
return valid ? payload : null;
}
# Nginx JWT validation (with njs module)
js_import jwt from conf.d/jwt.js;
js_set $jwt_valid jwt.validate;
server {
location /api/ {
if ($jwt_valid = "0") {
return 401;
}
proxy_pass http://backend;
}
}
# Generate a JWT for testing (Python)
python3 -c "
import jwt, time
token = jwt.encode(
{'sub': 'user123', 'exp': int(time.time()) + 3600},
'secret', algorithm='HS256'
)
print(token)
"Related CDN concepts include:
- TLS (Transport Layer Security) (TLS) — The encryption protocol that secures HTTPS connections. TLS encrypts data in transit between client and …
- Token Authentication — Protecting CDN-delivered content with signed URLs or tokens that expire after a set time. Prevents …
- Zero Trust — A security model where no request is trusted by default, regardless of network location. Every …
- API Gateway — A server that acts as the single entry point for API requests, handling authentication, rate …