Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreid6yqkyyenfpti4xvkazjlwnrcpjz4weh3rzxue6s2j6ctsk2m52u",
    "uri": "at://did:plc:5sgu76a53rz3n6unbykmovqy/app.bsky.feed.post/3mloeuoy67qo2"
  },
  "description": "JSON Web Signature (JWS) is the cryptographic signing mechanism behind JWT. It defines how to produce and verify a signature over a JSON payload, using either symmetric (HMAC) or asymmetric (RSA, EC, EdDSA) keys.\n\n\nHow it works\n\nA compact JWS has three Base64URL-encoded sections joined by dots: protected_header.payload.signature. The protected header declares the algorithm (alg) and optionally a key ID (kid). The signature is computed over base64url(header) + \".\" + base64url(payload) using the d",
  "path": "/engineering-glossary/jws-json-web-signature/",
  "publishedAt": "2026-05-12T18:04:57.000Z",
  "site": "https://sahilkapoor.com",
  "tags": [
    "RFC 7515",
    "JWT",
    "JWE",
    "OAuth 2.0",
    "OIDC",
    "Bearer Token"
  ],
  "textContent": "**JSON Web Signature (JWS)** is the cryptographic signing mechanism behind JWT. It defines how to produce and verify a signature over a JSON payload, using either symmetric (HMAC) or asymmetric (RSA, EC, EdDSA) keys.\n\n## How it works\n\nA compact JWS has three Base64URL-encoded sections joined by dots: `protected_header.payload.signature`. The protected header declares the algorithm (`alg`) and optionally a key ID (`kid`). The signature is computed over `base64url(header) + \".\" + base64url(payload)` using the declared algorithm.\n\nVerifiers parse the header, look up or derive the matching key (often via JWK), and verify the signature. The payload is encoded, not encrypted; anyone with the token can read it.\n\n## Common algorithms\n\n  * **HS256, HS384, HS512:** HMAC with SHA-2, shared secret\n  * **RS256, RS384, RS512:** RSA signature, asymmetric\n  * **ES256, ES384, ES512:** ECDSA, asymmetric, smaller signatures\n  * **EdDSA:** Edwards-curve signatures (Ed25519)\n  * **none:** no signature; must be rejected at validation\n\n\n\n## Specification\n\nDefined by RFC 7515.\n\n🔗\n\n**Related Terms**\nJWT, JWE, OAuth 2.0, OIDC, Bearer Token.",
  "title": "JWS",
  "updatedAt": "2026-05-13T19:15:13.698Z"
}