How JSON Web Tokens work? Not sure what is different from cookies

Question

When using cookies they are stored on the server and compared to the ones coming in the request from a client. What are the JWTs compared to? are they being decoded into their components?

Answer 1

A JSON Web Signature (JWS) JWT is not "compared to" anything; rather it is validated using a cryptographic key. Various algorithms are supported. The system validating the JWT must have access to the appropriate key for validating a particular JWT.

For symmetric algorithms (HS{256,384,512}) the JWS object comprising the token is validated using the HMAC construction with the SHA-2 cryptographic digest, keyed by a shared secret, i.e. the same key used to produce the token must be used to validate it.

For asymmetric algorithms ({RS,ES,PS}{256,384,512}) the JWS object comprising the token is validated using the RSASSA-PKCSv1.5 (RS), ECDSA (ES) or RSASSA-PSS (PS) algorithms with the SHA-2 cryptographic digest, using the public key corresponding to the private key used to sign the JWS.

The process of validating a JWS (a JWT is always serialized using the JWS compact serialization) is defined in the JWS Internet-Draft. In brief, the token is split into its three parts: header (a base64-encoded JSON object), payload (base64-encoded octet string; for JWT this is a JSON JWT claims object) and signature (base64-encoded octet string). The header indentifies the algorithm used, and this algorithm is used to verify the signature, which is computed across ASCII(BASE64URL(UTF8(Header)) || '.' || BASE64URL(Payload)) (this signing input is exactly the serialised JWT up to but not including the second period.)