What is the difference between JSON Web Signature (JWS) and JSON Web Token (JWT)?

To put simply, JWT (JSON Web Token) is a way of representing claims which are name-value pairs into a JSON object. JWT spec defines a set of standard claims to be used or transferred between two parties.

On the other hand, JWS (JSON Web Signature) is a mechanism for transferring JWT payload between two parties with guarantee for Integrity. JWS spec defines multiple ways of signing (eg. HMAC or digital signature) the payload and multiple ways of serializing the content to transfer across network.


JWT actually uses JWS for its signature, from the spec's abstract:

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.

So a JWT is a JWS structure with a JSON object as the payload. Some optional keys (or claims) have been defined such as iss, aud, exp etc.

This also means that its integrity protection is not just limited to shared secrets but public/private key cryptography can also be used.