<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Tanmay Upadhyay</title>
    <description>The latest articles on DEV Community by Tanmay Upadhyay (@tanmay_upadhyay_50802a11b).</description>
    <link>https://dev.to/tanmay_upadhyay_50802a11b</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4021882%2F0ffa3ebf-4c27-40ad-bf30-255d43f5f693.png</url>
      <title>DEV Community: Tanmay Upadhyay</title>
      <link>https://dev.to/tanmay_upadhyay_50802a11b</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/tanmay_upadhyay_50802a11b"/>
    <language>en</language>
    <item>
      <title>Decoding JWT: It's Not Encryption, It's a Signature</title>
      <dc:creator>Tanmay Upadhyay</dc:creator>
      <pubDate>Wed, 08 Jul 2026 21:17:33 +0000</pubDate>
      <link>https://dev.to/tanmay_upadhyay_50802a11b/decoding-jwt-its-not-encryption-its-a-signature-2hn0</link>
      <guid>https://dev.to/tanmay_upadhyay_50802a11b/decoding-jwt-its-not-encryption-its-a-signature-2hn0</guid>
      <description>&lt;p&gt;Every API request needs to answer: who is this, and are they allowed? Session auth answers it by having the server remember every login. JWT answers it by making the client carry its own proof — no server memory needed.&lt;/p&gt;

&lt;p&gt;What's inside a token&lt;br&gt;
Header . Payload . Signature.&lt;/p&gt;

&lt;p&gt;Header and payload are just base64-encoded — readable by anyone, not encrypted. The signature is what matters: a hash of the header + payload, made with a secret key only the server knows. Change one character of the payload, the signature breaks, the server rejects it. Trust comes from the math, not from hiding the data.&lt;/p&gt;

&lt;p&gt;Client logs in with credentials&lt;br&gt;
Server verifies them, signs a token, sends it back&lt;br&gt;
Client attaches the token to every future request&lt;br&gt;
Server checks the signature — no database lookup&lt;br&gt;
Valid + not expired → request proceeds&lt;br&gt;
No session table anywhere. The auth state lives inside the token itself.&lt;/p&gt;

&lt;p&gt;The trade-off&lt;br&gt;
Can't instantly revoke a token — it's valid until it expires. Fix: short-lived access tokens + a revocable refresh token.&lt;br&gt;
Payload is readable, so never put sensitive data in it. Security comes from HTTPS + safe client-side storage, not secrecy.&lt;br&gt;
One-liner to remember it by&lt;br&gt;
Session auth: remember who logged in, check memory each time. JWT: remember nothing, verify the proof each time.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>webdev</category>
      <category>programming</category>
      <category>beginners</category>
    </item>
  </channel>
</rss>
