What is JWT?

A JSON Web Token (JWT) is an industry-standard token format (RFC 7519) used to securely transmit identity and claims data between parties. JWTs are popular in login systems, API access, single sign-on (SSO), and microservices authentication.

How Does a JWT Work?

A JWT is composed of three Base64URL-encoded parts, separated by dots:

• Header: Specifies the token type (JWT) and the signing algorithm (HS256, RS256, etc.).
• Payload: Contains claims such as user ID, expiration time, roles, and other metadata.
• Signature: Ensures the token is valid and unaltered. Created using the encoded header + payload + a secret key.

A typical JWT looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

      

Why Use JWT?

• Compact: Small enough to send via URL, headers, or cookies.
• Self-contained: Includes all required user details inside the token.
• Secure: Signed using HMAC or RSA/ECDSA — prevents tampering.
• Stateless: The server does not need session storage. Great for scalable APIs.
• Fast: Efficient for microservices, serverless functions, and edge systems.

JWT Authentication Flow (Example)

Here's how a typical JWT login system works:

1. User logs in with email + password.
2. Server validates credentials.
3. Server generates a signed JWT token.
4. JWT is returned to the client (browser/app).
5. Client stores token (LocalStorage, Secure Cookie, etc.).
6. For each request, client sends JWT in Authorization header:
   Authorization: Bearer <token>
7. Server verifies the token and grants access.