Is JWT necessary over HTTPS communication?

Question

I\'m developping a MEAN stack application, and I\'m currently setting up an account system. I\'ve seen several tutorials about Authentication, all using JWT. I

Answer 1

JWT should not be confused with encryption. From jwt.io:

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

The JWT is signed with public/private key pairs so the sender can be verified, and verified that the payload has not been modified. However, the JSON Web Token is in clear text.

var token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ";

var payload = token.split('.')[1];

console.log('Payload: '+atob(payload))

Below is a figure from jwt.io showing the authentication flow when using JWT.

You need SSL/HTTPS to encrypt the communication. Without SSL/HTTPS attackers can sniff the network traffic and obtain the JWT, hence your application is vulnerable to man in the middle attacks.