DEV Community

Discussion on: What the heck is JWT anyway?

siwalikm profile image
Siwalik Mukherjee Author • Edited on

Hi @nemanja_pet!

  1. You can use JWT token for various types of authentications, even for logged in users. For example when a user logs in to your website with their credentials, the api response might return a JWT token as a part of the response. After logging in, on subsequent calls to the API, the client (browser) can send the JWT token to the server and on authenticating the token, the API can return results to make sure it's a legit request.

  2. You can definitely store a JWT token in the client in cookies, local / session storage based on your need. Just make sure to not generate the JWT token in the client as the secret will be visible on inspecting source.

  3. Ideally you should! The payload part can contain a claim called "exp" whose value should be a timestamp when the token expires. That way the same token cannot be highjacked by someone else and used to make API calls impersonating the actual user.

Hope that answers your questions.