re: Explain JWT like I'm five. VIEW POST


I agree with Kaesy - this is tough, and I'm not sure I'd want 5-year-olds managing my application security. :) That being said, here's my not-perfect-but-maybe-adequate take...

Traditional web security has you collecting a lot of stuff about a person, and then, when the person says that it's them asking for the information, you either have to make sure the person is real yourself, or trust that the person isn't pretending to be someone else. Also, when you and that person agree to start talking, you come up with a card that they can show you, and you remember that person.

With JWTs, the other person hands you a card with stuff that you can quickly verify. If it's fake, you can tell them you can't talk to them. Each card is signed, and if it isn't signed by the right person, you can't talk to them. Since you can check all this quickly, you don't have to agree to start talking and remember who all you're talking to - you just make sure you're OK with talking to that person, then go ahead. You can sign these cards, or you can trust other people to sign these cards, but it's easy to spot when someone gives you a fake card.

code of conduct - report abuse