A JSON Web Signature (JWS) is a IETF standard (RFC 7515) for securing data, typically a JSON object, with a digital signature or a Message Authentication Code (MAC). It provides integrity protection and authenticity for the data, allowing a recipient to verify that the content has not been altered and originated from a known sender. The structure is composed of three Base64url-encoded parts separated by dots: a JOSE Header, the JWS Payload, and the JWS Signature. This compact serialization makes JWS ideal for use in web tokens, API security, and other stateless authentication protocols.
LABS
Glossary
JSON Web Signature (JWS)
JSON Web Signature (JWS) is an IETF standard (RFC 7515) for securing data with digital signatures or MACs using a compact, URL-safe JSON representation.
Chainscore © 2026
definition
CRYPTOGRAPHIC STANDARD
What is JSON Web Signature (JWS)?
A JSON Web Signature (JWS) is a compact, URL-safe means of representing claims to be transferred between two parties, secured with a digital signature or Message Authentication Code (MAC).
The JOSE Header contains metadata describing the cryptographic operations applied. It specifies the signing algorithm (e.g., RS256 for RSA with SHA-256 or HS256 for HMAC with SHA-256) and may declare the type of the payload via the typ parameter. The JWS Payload is the actual content being secured, which can be any sequence of bytes, though it is commonly a JSON Web Token (JWT) claim set. The JWS Signature is computed over the concatenation of the encoded header, a dot (.), and the encoded payload, using the algorithm and key specified in the header.
JWS supports two primary modes of trust: digital signatures using asymmetric cryptography (e.g., RSA, ECDSA) and MACs using symmetric keys (e.g., HMAC). Asymmetric signatures allow verification by anyone with the public key, enabling scenarios like issuer verification in OAuth 2.0 and OpenID Connect. Symmetric MACs require all parties to share a secret key and are used in contexts where a single entity both creates and validates the signature. The standard also defines a JSON Serialization format for environments where the compact, dot-separated string is not suitable.
In practice, JWS is the foundational security layer for JSON Web Tokens (JWTs), where the JWS secures the JWT claims. It is widely deployed in modern web security for access tokens, identity tokens, and securing API requests. When a system receives a JWS, it must validate the signature using the correct key, verify the algorithm is allowed, and check the token's expiration and other claims within the payload to prevent security vulnerabilities like algorithm confusion attacks.
how-it-works
MECHANISM
How Does JWS Work?
A technical breakdown of the JSON Web Signature (JWS) process, detailing how digital signatures are applied to JSON data to ensure integrity and authenticity.
A JSON Web Signature (JWS) is a compact, URL-safe means of representing a digitally signed payload, typically a JSON object, using JSON data structures. The core process involves three steps: creating a JOSE Header specifying the signing algorithm, computing a digital signature over the combined header and payload, and serializing the result into either a Compact Serialization (a three-part, dot-separated string) or a JSON Serialization (a JSON object). This signature allows any party with the appropriate public key to verify that the payload has not been tampered with and was signed by the holder of the corresponding private key.
The signing process is defined by the JWS Signing Input, which is the concatenation of the Base64url-encoded JOSE Header, a period (.), and the Base64url-encoded payload. The specified digital signature algorithm (e.g., RS256, ES256, HS256) is then applied to this input string using the signer's private or secret key. Common algorithms include RSA with PKCS#1 v1.5 or PSS padding, Elliptic Curve Digital Signature Algorithm (ECDSA), and HMAC with SHA-2 for symmetric key scenarios. The resulting signature is also Base64url-encoded for inclusion in the final JWS structure.
For verification, the recipient decodes the JWS, recomputes the JWS Signing Input from the received header and payload, and verifies the signature using the algorithm specified in the alg header parameter. Successful verification cryptographically proves the integrity of the payload and header, and, when asymmetric cryptography is used, the authenticity of the signer. The JOSE Header may also contain other protected metadata, such as a key ID (kid) to indicate which key was used, which is critical for key rotation in systems like OAuth 2.0 and OpenID Connect.
JWS supports two serialization formats to accommodate different use cases. The Compact Serialization (header.payload.signature) is optimized for space and is commonly used in HTTP headers (e.g., Bearer tokens). The JSON Serialization produces a JSON object with payload, signatures (an array), and protected/header fields, enabling features like multiple signatures or unprotected headers. This flexibility makes JWS a foundational standard for securing API communications, identity tokens, and any data exchange requiring verifiable provenance.
key-features
CORE MECHANICS
Key Features of JWS
JSON Web Signature (JWS) is a standard for securing data with digital signatures or MACs. Its core features provide integrity, authenticity, and a flexible structure for representing signed content.
01
Compact Serialization
The most common JWS format, representing the signature as a single, URL-safe string. It uses a Base64url encoding of the header and payload, concatenated with a dot (.).
- Structure:
BASE64URL(Header).BASE64URL(Payload).BASE64URL(Signature) - Ideal for HTTP headers (like
Authorization: Bearer <token>) and compact data exchange. - Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
02
JSON Serialization
A more flexible, explicit JSON object representation of the JWS. It is used when multiple signatures are required or when the payload is a detached signature.
- Structure: A JSON object with
payload,signatures(an array), andprotected/headerfields. - Enables multiple signers on the same payload.
- Supports detached content, where the payload is transmitted or stored separately from the signature object.
03
Algorithm Independence
JWS is agnostic to the specific cryptographic algorithm used, declared in the JWS Protected Header (alg).
- Digital Signatures: Algorithms like RS256 (RSA), ES256 (ECDSA), or EdDSA provide non-repudiation.
- MACs (Message Authentication Codes): Algorithms like HS256 (HMAC) provide integrity and authenticity when signer and verifier share a secret key.
- This allows systems to choose the appropriate security and performance profile.
04
Detached Payload
A critical feature where the JWS signature is created for a payload that is not included within the JWS structure itself.
- The
payloadfield in the JWS is set to an empty string or omitted. - The verifier must have the original payload from another source (e.g., a database, a separate API call).
- Used for signing large files or data streams where embedding the payload would be inefficient, or when the payload must remain in its native format.
05
JWS Protected Header
A JSON object containing parameters that are integrity-protected by the signature. It is Base64url encoded and included in the signature calculation.
- Mandatory
alg: Specifies the signing algorithm. - Optional
kid: A 'key ID' hint for selecting the correct key for verification. - Optional
typ: The media type (e.g.,JWT). - Can be split between a protected header (signed) and an unprotected header (not signed).
06
Nested JWT (JWS within JWE)
A powerful pattern for combining signature and encryption. A JWS (which provides authenticity) is used as the payload for a JSON Web Encryption (JWE) structure.
- Sign-then-Encrypt: The data is first signed (creating a JWS), then the entire JWS is encrypted (creating a JWE).
- This provides confidentiality, integrity, and authenticity.
- Common in high-security applications where data must be both private and verifiably from a specific source.
serialization-formats
DATA INTEGRITY
JWS Serialization Formats
The standardized methods for representing a JSON Web Signature (JWS) as a string or object, enabling the secure transmission of digitally signed data.
A JSON Web Signature (JWS) is a compact, URL-safe means of representing content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. The JWS Serialization Formats define how the core components—the JWS Protected Header, JWS Payload, and JWS Signature—are assembled for transmission. The IETF RFC 7515 standard specifies two primary formats: the Compact Serialization and the JSON Serialization, each serving distinct use cases in web security, API authentication, and verifiable credentials.
The Compact Serialization is the most common format, producing a single, condensed string ideal for HTTP headers (like the Authorization: Bearer token) or URL query parameters. It concatenates the base64url-encoded Protected Header, Payload, and Signature, separated by period (.) characters, resulting in a structure like eyJhbGciOiJ.... This format is compact and widely supported but is limited to a single digital signature or MAC per JWS, using only a JWS Protected Header.
In contrast, the JSON Serialization represents the JWS as a JSON object, providing greater flexibility. This format supports multiple signatures or MACs over the same payload, enabling complex scenarios like multi-party signing. The JSON structure contains members such as payload, signatures (an array of signature objects), and optionally a protected header. Each signature object within the array can have its own set of header parameters (protected and/or header), allowing for different algorithms or keys to be applied to the same payload.
The choice between formats depends on the application's requirements. Compact Serialization is preferred for its simplicity and efficiency in token-based authentication (e.g., JWT). JSON Serialization is necessary for advanced features like JWS JSON Serialization with Unencoded Payload (RFC 7797), where the payload is included as a non-base64url-encoded JSON value, or when detached content is used, allowing the payload to be transmitted separately from the signature for efficiency with large payloads.
Understanding these formats is crucial for implementing secure data exchange. Developers must correctly encode and decode the JOSE Header parameters, handle the base64url encoding as specified, and validate signatures according to the algorithm specified in the alg header. Proper implementation ensures data integrity, authenticity, and non-repudiation in systems ranging from OAuth 2.0 and OpenID Connect to blockchain transactions and digital document signing.
ecosystem-usage
JSON WEB SIGNATURE (JWS)
Ecosystem Usage in Web3 & Identity
JSON Web Signature (JWS) is a compact, URL-safe means of representing claims to be transferred between two parties, secured by a digital signature or MAC. In Web3, it's a foundational standard for creating and verifying verifiable credentials and decentralized identity tokens.
01
Core Structure & Components
A JWS is composed of three parts, separated by dots (.): a JOSE Header, a Payload, and a Signature. The header specifies the signing algorithm (e.g., ES256K). The payload contains the claims or data. The signature is computed over the concatenated header and payload, ensuring data integrity and authenticity.
02
Verifiable Credentials (VCs)
JWS is the primary mechanism for signing Verifiable Credentials in the W3C standard. The credential's JSON data becomes the JWS payload. The issuer's signature allows any verifier to cryptographically confirm the credential's origin and that it hasn't been altered, enabling trustless verification of claims.
03
Decentralized Identifiers (DIDs) & Authentication
JWS is used in DID Auth protocols. A user proves control of a DID by signing a challenge (e.g., a nonce) with their private key, producing a JWS. This signature, which can be verified against the public key in the user's DID Document, is the basis for secure, passwordless authentication in decentralized applications.
04
Selective Disclosure & JWS Detached Mode
For privacy, selective disclosure allows revealing only specific claims from a credential. This is often implemented using JWS Detached Payload mode, where the payload is sent separately from the signature. The verifier reconstructs the signed data to validate it, enabling zero-knowledge-style proofs of specific attributes.
06
Comparison with JWT
A JSON Web Token (JWT) is a specific, common use case of JWS (or JWE) where the payload follows a registered claims structure. In Web3 identity, the term JWS is often preferred as the payloads (like VCs) have their own complex schemas, and the focus is on the signature's cryptographic proof rather than a standardized set of claims.
jws-vs-jwt
CRYPTOGRAPHIC STANDARDS
JWS vs. JWT: The Relationship
A technical breakdown of the JSON Web Signature (JWS) standard and its critical role in securing JSON Web Tokens (JWTs).
A JSON Web Signature (JWS) is a cryptographic mechanism defined in RFC 7515 for securing data, typically a JSON Web Token (JWT), with a digital signature or Message Authentication Code (MAC). It provides integrity protection and authenticity for the signed payload, allowing a recipient to verify that the content has not been altered and originated from a trusted source. The JWS structure is the fundamental security layer that transforms a plain JSON object into a verifiable token.
The relationship between JWS and JWT is hierarchical: a JWT is the abstract concept of a set of claims, while a JWS is one of two concrete serialization formats (the other being JWE for encryption) used to realize a JWT. In practice, when developers refer to a "signed JWT," they are almost always describing a JWT secured with a JWS. The JWS specification defines the exact structure—comprising a header, payload, and signature—that is base64url-encoded to produce the familiar compact string format (e.g., eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...).
The JWS header contains metadata critical for processing, most importantly the alg (algorithm) parameter, which specifies the signing algorithm (e.g., RS256, HS256, ES256). The payload is the JWT Claims Set—the actual data being secured. The signature is computed over the concatenated base64url-encoded header and payload. This design ensures that any tampering with the header or payload invalidates the signature, making JWS essential for secure authentication and authorization in protocols like OAuth 2.0 and OpenID Connect.
It is crucial to distinguish JWS from JSON Web Encryption (JWE), which provides confidentiality instead of integrity. While a JWS can be nested within a JWE for both signing and encryption, a JWT is most commonly implemented as a JWS. Understanding this relationship is key for developers implementing secure APIs, as proper algorithm selection (alg) and key management are dictated by the JWS standard to prevent vulnerabilities like algorithm confusion attacks.
security-considerations
JSON WEB SIGNATURE (JWS)
Security Considerations
JWS provides a mechanism for securing data integrity and authenticity, but its security is contingent on proper implementation and key management.
01
Algorithm Choice & JWA
The security of a JWS depends on the algorithm specified in the alg header. The JSON Web Algorithms (JWA) RFC defines these. Critical considerations include:
- Avoiding
none: The"alg": "none"algorithm must be explicitly rejected to prevent unsecured tokens. - Asymmetric vs. Symmetric: Use RS256 (RSA) or ES256 (ECDSA) for signatures where the signer and verifier have different keys. Use HS256 (HMAC) only when a shared secret can be securely distributed.
- Algorithm Confusion Attacks: A common vulnerability occurs when a system expecting an asymmetric signature (RS256) accepts a symmetric one (HS256) by confusing the public key as an HMAC secret.
02
Key Management
The security of any digital signature hinges on key security.
- Private Key Protection: Signing keys must be stored in a Hardware Security Module (HSM) or secure key vault, never in source code.
- Public Key Distribution: Verifiers must obtain the signer's public key from a trusted source, often via a JWK Set (JWKS) endpoint. This endpoint must be secured (HTTPS) to prevent man-in-the-middle attacks.
- Key Rotation: Implement processes for regular key rotation and ensure systems can handle multiple valid keys (via
kidheaders) during transitions.
03
Header Validation
The JWS Protected Header and Unprotected Header must be rigorously validated before trusting the signature.
- Critical Parameters: Validate the
algand, if present, thecrit(critical) header parameters. Unrecognized critical parameters must cause rejection. - Key ID (
kid): Thekidmust be validated to ensure the correct key is used for verification, preventing key substitution attacks. - Token Type (
typ): Thetypheader (e.g.,JWT) should be checked to ensure the token is of the expected type.
04
Canonicalization & Encoding
JWS signatures are computed over a precise byte sequence. Any discrepancy in constructing this input invalidates the signature.
- Base64url Encoding: The header and payload must be encoded using RFC 4648 Base64url (URL-safe, no padding). Different encoding libraries can produce different outputs.
- JWS Signing Input: The string to sign is
BASE64URL(UTF8(JWS Protected Header)) + '.' + BASE64URL(JWS Payload). The exact serialization of the header JSON (whitespace, key order) can affect the hash. - Detached Payloads: For detached signatures, the verifier must reconstruct the exact payload that was signed.
05
JWS vs. JWE
A critical distinction is that JWS provides integrity and authenticity, not confidentiality.
- JWS (Signature): The payload is only base64 encoded and is readable by anyone. Use JWS for publicly verifiable claims (e.g., OIDC ID Tokens).
- JWE (Encryption): The payload is encrypted and confidential. Use JWE to protect sensitive data.
- Common Mistake: Using a JWS to transmit a secret (like an API key) exposes it. For full security (confidentiality + integrity), a JWS can be nested inside a JWE.
06
Real-World Attack Vectors
Understanding common exploits is essential for secure implementation.
- Algorithm Switching: An attacker alters the
algheader fromRS256toHS256. If the verifier uses the RSA public key as the HMAC secret, the attacker can forge signatures. - Weak HMAC Secrets: When using
HS256, the secret must be cryptographically strong (high entropy), not a simple password. - Invalid Curve Attacks: For ECDSA algorithms (e.g., ES256), the verifier must validate that the public key and signature points lie on the correct elliptic curve.
- Key Injection via
jwkHeader: Accepting a key embedded in the header (jwkorx5c) can allow an attacker to supply their own verification key. This should be disabled unless explicitly required.
COMPARISON
Common JWS Signing Algorithms
A comparison of standardized JWA (JSON Web Algorithms) used for signing JWS payloads, detailing their cryptographic properties and typical use cases.
| Algorithm (alg Parameter) | Key Type | Security Level (bits) | Standardized in JWA | Common Use Cases |
|---|---|---|---|---|
HMAC with SHA-256 (HS256) | Symmetric | 128 | Internal APIs, session tokens | |
RSASSA-PKCS1-v1_5 with SHA-256 (RS256) | Asymmetric (RSA) | 128 | OAuth 2.0, OpenID Connect | |
ECDSA with P-256 and SHA-256 (ES256) | Asymmetric (EC) | 128 | High-performance APIs, IoT | |
EdDSA with Ed25519 (EdDSA) | Asymmetric (EC) | 128 | Modern protocols, high-security apps | |
RSASSA-PSS with SHA-256 (PS256) | Asymmetric (RSA) | 128 | Regulatory compliance, financial systems | |
HMAC with SHA-512 (HS512) | Symmetric | 256 | High-security symmetric contexts |
JSON WEB SIGNATURE (JWS)
Frequently Asked Questions (FAQ)
Common questions about JSON Web Signatures (JWS), a compact, URL-safe standard for representing claims secured with digital signatures or message authentication codes (MACs).
A JSON Web Signature (JWS) is a cryptographic mechanism defined in RFC 7515 for securing a JWT payload or any arbitrary data by applying a digital signature or Message Authentication Code (MAC). It works by taking a JWS Payload (the data to be secured), a JWS Header (containing metadata like the signing algorithm), and a secret or private key to produce a JWS Signature. The final output is a JWS Compact Serialization, a URL-safe string with three dot-separated segments: BASE64URL(UTF8(JWS Protected Header)).BASE64URL(JWS Payload).BASE64URL(JWS Signature). This structure allows the recipient to verify the integrity and authenticity of the payload.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall