A (me): So you want some private data from me?
B (a company): Yeah. Name and email, please?
A: What's the purpose?
B: Just a newsletter.
A: Good, here you go. You have my consent to use my name and email for this purpose for about a year.
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJAanN1Y2hhbCIsIm5hbWUiOiJKYW4gU3VjaGFsIiwiZW1haWwiOiJqYW4uc3VjaGFsQGdtYWlsLmNvbSIsImNvbnNlbnRzIjpbIm5ld3NsZXR0ZXIiXSwiYXVkIjoiWW91ciBDb21wYW55LCBMdGQuIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1OTY2MzkwMjJ9.tRANmViLotSJq63WIVplXS8Sfep4gckxD7Q499SRB3oyPCLkzcmReadYnCN2zkcJK9NqOXqWb5w7x6tMHT2PajRweD-dyDckFxvyX7ETjmKAHctoNvKaxHu0D1VybrKB4ve7ydijVh9JfGR6lJpooY2m2kMKHanDLU6ZKCyEWeM
This is a simple signed JWT token that contains this data
{
"sub": "@jsuchal",
"name": "Jan Suchal",
"email": "[email protected]",
"consents": [
"newsletter"
],
"aud": "Your Company, Ltd.",
"iat": 1516239022,
"exp": 1596639022
}
My public key is
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd
UWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs
HUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D
o2kQ+X5xK9cipRgEKwIDAQAB
-----END PUBLIC KEY-----
(copy & paste the token into jwt.io to see it in action)
B: Thanks.
(Little bit later)
C (an authority) to B: We need to see that you have consents for storing/processing A's private data for sending out newsletter.
B (hands over signed JWT token): Look, we have signed valid consents for sending newsletter.
C checks token signature & consents & expirity & audience.