[1] draft-ietf-oauth-json-web-token-32 - JSON Web Token (JWT) ( 版) https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32
[2] draft-ietf-oauth-jwt-bearer-12 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants ( 版) http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12
[3] RFC 7519 - JSON Web Token (JWT) ( 版) https://tools.ietf.org/html/rfc7519
[4] RFC 7521 - Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants ( 版) https://tools.ietf.org/html/rfc7521
[5] RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants ( 版) https://tools.ietf.org/html/rfc7523
[6] RFC 7800 - Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) ( 版) https://tools.ietf.org/html/rfc7800
JWT tokens will be sent in the Authorization header, following with term JWT and a space character.
Example that assumes eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds is the actual token:
GET /<service>/<resource> HTTP/1.1
Host: 127.0.0.1:1337
Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds
[9] Stop using JWT for sessions - joepie91's Ramblings ( ()) http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
[10] Stop using JWT for sessions, part 2: Why your solution doesn't work - joepie91's Ramblings ( ()) http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/
Mapbox uses JSON Web Tokens (JWT) as the token format.
Webhooks declared by an add-on can optionally receive a JWT authenticating the request. The JWT is sent in the Authorization header and has the same structure as the JWT sent in the signed_request query parameter for configuration pages and other UI elements:
POST /echo HTTP/1.1
Host: addon.example.com
Authorization: JWT eyJhbGciOiAiSFMyNTYiLCAi...
Content-Length: 646
Content-Type: application/json
5. Bitbucket Cloud JWT Grant (urn:bitbucket:oauth2:jwt)
If your Atlassian Connect add-on uses JWT authentication, you can swap a JWT for an OAuth access token. The resulting access token represents the account for which the add-on is installed.
Make sure you send the JWT token in the Authorization request header using the "JWT" scheme (case sensitive). Note that this custom scheme makes this different from HTTP Basic Auth (and so you cannot use "curl -u").
$ curl -X POST -H "Authorization: JWT {jwt_token}" \
https://bitbucket.org/site/oauth2/access_token \
-d grant_type=urn:bitbucket:oauth2:jwt
With JWT Based Access Control you build sites with any site generator and enable granular role based permissions while delegating authentication and user management to any service that can issue JSON Web Tokens.
Google search: application/jwk-set+jwt