JWT
JSON Web Token—a compact, URL-safe token format used for securely transmitting authentication and authorization information.
Definition
JSON Web Tokens (JWTs) are self-contained tokens encoding claims (user identity, permissions, expiration) as JSON, signed to prevent tampering. They're widely used for stateless authentication in web applications and APIs.
JWTs contain three parts: header (token type and algorithm), payload (claims like user ID and expiration), and signature (verification that content hasn't been altered). The entire token is Base64-encoded for transmission.
Why It Matters
JWTs enable stateless authentication at scale. Unlike session-based auth requiring server-side storage, JWTs carry all needed information—perfect for distributed systems and microservices.
Understanding JWT security is critical. Improperly implemented JWTs create vulnerabilities. Tokens must be stored securely, transmitted over HTTPS, and expire appropriately.
Examples in Practice
A user logs into a SPA. The server returns a JWT containing their user ID and role. All subsequent API requests include this JWT in headers, authenticating without server-side session lookup.
A mobile app uses refresh tokens (long-lived) and access tokens (short-lived JWTs) for secure, persistent authentication without requiring frequent re-login.