JSON Web Tokens are representations of claims, or authorization proofs that fit into the Header of HTTP requests.

How?

JWTs are used as the MAC of operations that require authorization. Gradecoin has 2 such operations:

• block proposal
• transaction proposal.

They are sent alongside the JSON request body in the Header;

Authorization: Bearer <JWT Token here>

Gradecoin uses 3 fields for the JWTs;

{
"tha": "Hash of the payload, check invididual references",
"iat": "Issued At, Unix Time",
"exp": "Expiration Time, epoch"
}

• tha is explained in blocks and transactions documentations.
• iat when the JWT was created in Unix Time format.
• exp when the JWT will expire & be rejected in Unix Time.

Algorithm

We are using RS256, RSASSA-PKCS1-v1_5 using SHA-256. The JWTs you encode with your private RSA key will be decoded using the public key you have authenticated with. You can see how the process works and create ad hoc tokens here.

References

• RFC, the ultimate reference
• JWT Debugger