I'm going to avoid jargon here as much as I can. So let me explain things in simple words.
It's a token, or let's say it's a string that if you, the user of the app, own it, then you can access or update certain things on the server.
For example, if you want to update your profile picture, you should have the token that allows your account to update that profile picture.
The server generates it for the user.
When the user proves to the server that he or she can get one. This typically happens when the user logs in to the app.
So when the user fills in the username/password and presses log in, the server checks that they are correct, and if so, the server generates the token and sends it in the response of that log-in request.
The user should embed it with every request sent to the server. (Or at least with the requests that require authorization.)
Typically, you would include it in the header of the request, specifically the
You can use localStorage to store it, but that would open your app to XSS attacks. A better choice is cookies.
When the server generates the token, it includes the user's email, username, etc (anything it can identify the user with). So, for example, if the token contains your email address, then you can access only stuff related to the user with your email address.
Yes it can, inside the payload section.
Yes they can!
When the server generates the token, it digitally signs it with a secret key.
I can dive further into what a digital signature is and how it's generated, but let's keep things simple here and just keep in mind that if you have a token and you modified it, the server won't give you access to anything because the token has been changed.
Yes, it will be valid forever unless the server specifies an expiration time when generating it.
If you have any questions, ask them in the comments.
Make better choices about your code and your career.