What is a JWT?
A JWT (sometimes pronounced “jot”) is how most modern APIs keep track of who’s logged in. Web apps use them to handle authentication without storing session data on the server.
When you log in to an app, the server creates a JWT and sends it back to you. Your browser stores it and includes it in every subsequent request. The server reads the token, verifies it’s legit, and knows who you are without needing to look anything up in a database.
A JWT is made of three parts separated by dots: a header, a payload, and a signature. The header says what kind of token it is. The payload carries claims like your user ID, email, and when the token expires. The signature is a cryptographic hash that proves the token hasn’t been tampered with. If you change even one character in the payload, the signature won’t match and the server will reject it.
The payload is base64-encoded, not encrypted. That means anyone can decode it and read the contents. Never put sensitive information like passwords in a JWT. What makes it secure is the signature, which only the server can produce and verify.
JWTs shine in stateless APIs and microservices. Because the token carries everything the server needs, you don’t have to hit a shared session store on every request. Any service that knows the secret key can verify the token independently.
The tradeoff is that JWTs can’t be revoked. Once issued, a token is valid until it expires. If a user logs out or gets their account suspended, the token keeps working until it hits its expiry time. The common workaround is short expiry times combined with refresh tokens, but it adds complexity.
I remember when JWTs first started gaining popularity. Before them, we constantly had session issues in scaled, service-oriented architectures. If you had multiple servers and a user’s session lived on one, requests routed to a different server would fail. JWTs largely solved that. Because the token is self-contained, any server can verify it without coordinating with the others. It made authorization in distributed systems so much simpler.
Now it’s the norm, and I use them extensively at my current company via Auth0. Once you understand the structure, they’re not scary at all.