Skip to main content

JSON Web Encryption (JWE)

Introduction

Welcome to Figure's guide on using JSON Web Encryption (JWE) to secure sensitive data when interacting with our API. This guide is designed for developers integrating with Figure's API, providing instructions on encrypting data to ensure privacy and security.

Figure's Commitment to Data Protection

At Figure, we prioritize the protection of sensitive data. We employ industry-standard encryption techniques, such as JWE, to safeguard your information. By following this guide, you will help us maintain the highest standards of security for all data exchanged with our API.

Understanding JWE

What is JWE?

JSON Web Encryption (JWE) is a standard for securely transmitting information using JSON-based data structures. It ensures that the data is encrypted and can only be decrypted by the intended recipient, protecting it from unauthorized access.

Key Concepts

  • Encryption and Decryption: The process of converting plaintext data into a secure format and then back into plaintext by the authorized party.
  • Compact Serialization and JSON Serialization: Methods of representing the encrypted data in a compact, URL-safe format or a JSON format for transmission.

Structure of a JWE

Components of a JWE

A JWE token consists of five parts, separated by periods, each base64url-encoded:

  1. Header: Contains metadata about the encryption algorithm and type of token.
  2. Encrypted Key: The symmetric key used to encrypt the payload, encrypted with the recipient's public key.
  3. Initialization Vector (IV): A random value used to ensure the same plaintext does not always encrypt to the same ciphertext.
  4. Ciphertext: The encrypted payload.
  5. Authentication Tag: Ensures the integrity of the token.

Example of a JWE Token

Encoded, a JWE token will look like this:

Example JWE token
   eyJhbGciOiJSU0EtT0FFUCJ9.OKOawDo13gRp2ojaHV7LF5gC.48V1_ALb6US04U3b.5eym8LUKS8MB8lE.XFBoMYUZodetZdvTiFvSkQ
// ^header                  ^encrypted key          ^IV               ^ciphertext     ^authentication tag

In plaintext, the token structure looks like this:

Notional Plaintext JWE token
{"alg":"RSA-OAEP-256","enc":"A256GCM"}
.
SomeEncryptedSymmetricKey
.
RandomInitializationVector
.
{"sensitive":"data"}
.
AuthenticationTag