Inclusion Relation among JWS, JWE, JWT, ID Token and Access Token

  • Both JWS (JSON Web Signature) and JWE (JSON Web Encryption) have two methods of serialization; “JSON” and “Compact”.
  • JWT (JSON Web Token) is either JWS or JWE. In either case, its serialization is “Compact” because the specification defines so.
  • By definition, ID Token is signed. Therefore, its format is either “JWS” or “JWE including JWS”.
  • ID Token never takes the form of “JWS including JWE”. It’s because when ID Token is encrypted, the order must be “signed then encrypted” as the specification requires so.
  • Access Token is not always a JWT.
  • ID Token is always a JWT by definition.
  • Even if ID Token is used for access control, ID Token is not called Access Token.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Takahiko Kawasaki

Takahiko Kawasaki

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997.