The Role of Data Signatures

Learn how data signatures are used while accessing a web application.

Data signature

Data encryption is the process of converting original data into a new sequence of bytes from which the original data cannot be read without access to a secret key. Encryption prevents people from reading the data if they do not have the key. This protection is called data confidentiality. JWT does not involve encryption, it uses signatures instead. The expectation is that confidentiality will be provided by the Transport Layer Security (TLS), which is what “S” gives us in HTTPS.

Unlike encryption, data signatures do not replace the original data. The data and a secret get hashed to create a new random-looking string of bytes called the signature, which gets appended to the data. Hashing data can be thought of as mixing up all the bits together and condensing it down to a shorter length. The important thing is that it becomes impossible to create a fake signature if we don’t know the secret, or even to find a different piece of data with the same signature. The benefit of this is protection, which we call data integrity. If some data is accompanied by a valid signature, we know that the data was not modified.

To summarize, JWT uses signatures to provide data integrity, rather than using encryption to provide data confidentiality.

So what does this have to do with tokens? It’s best to think of two different phases.

  1. In the first phase, a token gets generated.
  2. In the second phase, the token is used to authenticate to an API.

Accessing a web application

When a user reaches your web application:

Get hands-on with 1200+ tech skills courses.