What is it
JWT stands for JSON Web Token (pronounced “jot”). It’s the most widely used standard for securely transmitting identity and permission information between systems.
When an API says you need a “token” to authenticate, in most modern cases that token is a JWT.
JWT Structure
A JWT has 3 parts separated by dots:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFuYSBHYXJjw61hIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjQwMDAwMDAwLCJleHAiOjE2NDAwMDcyMDB9.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c1. Header
Indicates the signing algorithm used:
{
"alg": "HS256",
"typ": "JWT"
}2. Payload
The data we want to transmit:
{
"sub": "1234567890",
"name": "Ana García",
"role": "admin",
"iat": 1640000000,
"exp": 1640007200
}3. Signature
Guarantees the token wasn’t tampered with. Calculated with header + payload + secret key.
How JWT Authentication Works
1. User logs in (email + password)
↓
2. Server verifies credentials
↓
3. Server generates JWT signed with secret key
↓
4. Server sends JWT to client
↓
5. Client stores JWT (localStorage or secure cookie)
↓
6. On each request, client sends: Authorization: Bearer <JWT>
↓
7. Server verifies signature → if valid, processes the requestJWT Advantages
| Advantage | Description |
|---|---|
| Stateless | The server doesn’t need to store sessions in the database |
| Portable | The same token works across multiple services |
| Self-contained | The token carries user information — no need to look it up |
| Verifiable | Any service with the public key can verify it |
Standard Payload Fields
| Field | Name | Description |
|---|---|---|
sub | Subject | User identifier |
iss | Issuer | Who issued the token |
aud | Audience | Who the token is for |
exp | Expiration | When it expires |
iat | Issued At | When it was issued |
nbf | Not Before | When it becomes valid |
Security Best Practices
✅ Do:
- Use short expiration times (
exp) — 15 minutes to 24 hours - Always transmit over HTTPS
- Store tokens in
HttpOnlycookies for web apps (not localStorage) - Use secure algorithms (RS256 for production, HS256 for development)
❌ Don’t:
- Store sensitive data in the payload (it’s encoded, not encrypted)
- Create tokens that never expire
- Transmit over unencrypted HTTP
JWT vs Traditional Sessions
| Aspect | Traditional Session | JWT |
|---|---|---|
| Storage | On server (DB or Redis) | On client (token) |
| Scalability | Requires shared sessions | Any server can verify |
| Revocation | Immediate (delete the session) | Complex (must wait for expiry or use blacklist) |
| Size | Small ID | Larger token |
| Best for | Traditional web apps | APIs, microservices, mobile apps |
Related Terms
- [[API]] - APIs use JWT to authenticate who makes each request
- [[REST]] - REST APIs use JWT in the
Authorizationheader - [[Shift-Left Security]] - Token security must be thought through from design time
- [[Microservices]] - JWT allows multiple services to validate identity without central coordination
Additional Resources:
- JWT.io - Visual JWT token decoder
- Auth0 - Introduction to JWTs