If you've worked with authentication in APIs, chances are you've heard of JWT — but do you really know what it does under the hood?
What is JWT?
JWT stands for JSON Web Token.
It’s a compact and self-contained way to transmit information between two parties, usually between the client and the server, in a way that can be verified but not necessarily hidden.
How does it work?
A JWT is made up of three parts, separated by dots (.):
header.payload.signature
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ1c2VySWQiOiIxMjM0IiwicGVybWlzc2lvbnMiOlsiYWRtaW4iXX0.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
1. Header
Specifies the signing algorithm and the type of token (JWT).
2. Payload
Carries the actual data (claims) — like userId, roles, exp (expiration), etc.
3. Signature
Ensures integrity.
It’s generated using the header + payload + a secret key, and helps validate that the token hasn’t been tampered with.
Why use JWT?
- ✅ Stateless: the server doesn’t need to store session data
- ✅ Compact: lightweight and ideal for mobile or web
- ✅ Easy integration: sent via
Authorization: Bearer <token>
When not to use JWT?
- When you need real-time session revocation (e.g., logout everywhere)
- For apps with fine-grained, real-time access control
- If you need to store sensitive data inside the token (JWTs are only encoded, not encrypted)
Quick tip
Always verify the signature of the JWT before trusting the content.
And never store passwords or sensitive information in the payload — anyone can decode it.
Want more?
I can follow up with a post on:
- Refresh tokens and token expiration
- Best practices for secure JWT usage
- Real-world implementation tips
Let me know how you're using JWT in your projects — or what questions you still have about it.
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.