What is a JWT?
A JWT is a compact, signed token that securely carries claims between parties, commonly used for authentication and authorization.
A JWT (JSON Web Token) is a compact, self-contained token that carries information (claims) between two parties in a verifiable way. It's widely used for authentication: after you log in, the server gives you a JWT that proves who you are on later requests.
Structure:
A JWT has three parts separated by dots: header.payload.signature
- Header: The token type and signing algorithm
- Payload: The claims (user id, roles, expiry)
- Signature: A cryptographic signature verifying the token wasn't tampered with
How It Works:
- You log in with credentials
- The server creates a JWT and signs it with a secret
- The client stores the token and sends it on each request
- The server verifies the signature and reads the claims — no database lookup needed
Benefits:
- Stateless: The server doesn't store sessions
- Portable: Works across services and domains
- Compact: Easy to send in headers
FAQ
Is the payload in a JWT encrypted?
No. The payload is only Base64-encoded, so anyone can read it. Never put secrets in a JWT. The signature guarantees integrity, not confidentiality.
How do I handle JWT expiration?
Use short-lived access tokens plus a longer-lived refresh token. When the access token expires, the client uses the refresh token to get a new one without logging in again.