The only difference I see is that Iron has the feature of password rotation. Are there any other differences?

No idea. I never looked at JWT.

If someone knows both, please chime in.

After doing some research, I found a few similarities and differences between Iron and JWT.

Similarities

• Both can encrypt then base64 encode a JSON object to create a token that is URL-friendly
• The resulting string can be of a variable length, depending on the JSON object being encoded

Differences

• A JWT may be base64 encoded without a signature and unencrypted, while an Iron token must always be encrypted and base64 encoded
• JWT seems to require a some combination of JSON properties (which are referred to as "claims"), while Iron will accept any valid JSON.

Overall, Iron seems to be easier to use and more flexible than JWT.

Thanks @shawm11

I would like to add a little to what @shawm11 said. The JWT token is two JSON objects and a signature. The claims @shawm11 mentions go into one of the objects and your custom JSON goes in the other. The claims include things like encryption algorithm, issue time, expire time, not before time, etc.

Like Iron, JWT is encrypted, signed, and encoded. And the list of options for signing and encrypting include none.

I think there is a lot of correlation between Iron and JWT. Additionally I think there is a lot of similarities in how they are used. Frequently JWT tokens are used as the bearer token for OAuth 2.

JWT is not encrypted and signed, it needs to wrap JWS I Need JWE If you need that. Also the claims are not the JWT header document.

JWT is encrypted, signed, and encoded

@ecki is right, my statement was wrong. JWT's are not encrypted.

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.