YES I AM THE ONE WHO REQUESTED THE ACCESS

jatin — Mon, 15 Dec 2025 23:47:11 +0000

NOTE : This is my first post, so apologies in advance if I’ve misunderstood something.I’m open to discussions and corrections

Have u guys ever feel the magic of authorization and secure information transfer (via signing) like which resource is allowed for your use and what is not under your access or u want to transfer sensitive information then how we know that they have encrypted them or not

WELL, JWT is widely used in modern web applications

What is JWT?

JWT stands for JSON Web Tokens defines a compact and self-contained way for securely transmitting information between parties as a JSON object.This information can be verified and trusted because it is digitally signed.

JWT are short lived they expire after some time which make them special.

Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties.

USE OF JWT ?

JWT is majorly used in authorization and information exchange
1>Authorization: it is most common use case of JWT . it is related to access routes, services, and resources that are permitted with that token. there is a difference between authentication and authorization well both use jwt but authentication is like you want to verify the user but authorization is related to access to resources.

Authentication → verifies who the user is
Authorization → determines what the user is allowed to access

2>Information Exchange: It is like securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are.

Structure of JWT ?

A JWT consists of three parts, separated by dots (.):

1> HEADER: Contains metadata about the token
{ "alg": "HS256", "typ": "JWT" }

2> Payload: Contains the actual data (claims)
{ "userId": 123, "email": "user@example.com", "role": "admin", "exp": 1712345678 }

3>Signature: Used to verify that the token was not tampered with.
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret_key )

How JWT Authentication Works (Flow)?

User logs in with email & password
Server verifies credentials
Server generates JWT using a secret key
JWT is sent to client
Client stores JWT (cookie / localStorage)
Client sends JWT in Authorization header for every request
Server verifies JWT and allows access

Advantages of JWT :

Stateless authentication (no DB lookup per request)
Fast & scalable
Easy to use across microservices
Works well with REST APIs & mobile apps

Disadvantages of JWT :

Token cannot be revoked easily
If token is stolen, attacker gets access
Payload is readable (not encrypted)
Large tokens increase request size

JWT in Express.js :

Generate Token

const jwt = require("jsonwebtoken");

const token = jwt.sign(
  { userId: user._id },
  process.env.JWT_SECRET,
  { expiresIn: "1h" }
);

Verify Token (Middleware)

const verifyToken = (req, res, next) => {
  const token = req.headers.authorization?.split(" ")[1];
  if (!token) return res.status(401).json({ message: "No token" });

  jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
    if (err) return res.status(403).json({ message: "Invalid token" });
    req.user = decoded;
    next();
  });
};

Final Thoughts:

JWT is powerful, fast, and widely adopted — but only when used correctly.
Understanding how it works internally helps in designing secure and scalable systems.

I’m starting this as a learning hobby to improve my knowledge and connect with talented people.
Feedback and suggestions are always welcome

DEV Community: jatin