> ## Documentation Index
> Fetch the complete documentation index at: https://docs.withsutro.com/llms.txt
> Use this file to discover all available pages before exploring further.

# JSON Web Tokens (JWTs)

> Understanding how JWTs work in Sutro's authentication system

**JSON Web Tokens (JWTs)** are compact, signed tokens that carry identification and authorization information.

A JWT contains three parts:

* **Header** — how the token is constructed
* **Payload** — identity and other claims
* **Signature** — proof that the token is genuine

Within the payload, the **subject (`sub`) claim** identifies the user or entity:

```json theme={null}
{
  "sub": "123-45-6789"
}
```

This value is a **Security Identifier (SID)** that uniquely represents an identity.

## Signing and Verification

JWTs are signed so that recipients can verify they have not been tampered with. Verification is done by checking that the signature matches the payload using a corresponding verification key.

## Symmetric vs Asymmetric Keys

JWTs can be signed using:

* **Symmetric keys** — one shared key used for both signing and verifying
* **Asymmetric keys** — a private key for signing and a public key for verification

Symmetric keys create risk: anyone who can verify a token can also forge one.\
Asymmetric keys avoid this. The signing private key never leaves your control, and we only receive the public verification key.

## Why Asymmetric Keys and JWTs?

While [Mutual TLS (mTLS)](/docs/getting-started/auth/mutual-tls) proves *which server* is sending a request, it does not tell us *which user* the server is acting on behalf of.
JWTs fill this gap by conveying identity and permission information for individual [Builders](/docs/getting-started/auth/builders) and [Members](/docs/getting-started/auth/members).

Asymmetric JWT verification is used because:

* You keep the private signing key, maintaining full control over user management.
* Sutro only needs the public key, ensuring verification is possible without ever being able to forge tokens.
* Each authentication service or environment can have its own key pair, making token origin traceable.

This separation—[mTLS](/docs/getting-started/auth/mutual-tls) for server identity, JWTs for user identity—provides strong, flexible, and auditable security.
