DEV Community

Tanmay Upadhyay
Tanmay Upadhyay

Posted on

Decoding JWT: It's Not Encryption, It's a Signature

Every API request needs to answer: who is this, and are they allowed? Session auth answers it by having the server remember every login. JWT answers it by making the client carry its own proof — no server memory needed.

What's inside a token
Header . Payload . Signature.

Header and payload are just base64-encoded — readable by anyone, not encrypted. The signature is what matters: a hash of the header + payload, made with a secret key only the server knows. Change one character of the payload, the signature breaks, the server rejects it. Trust comes from the math, not from hiding the data.

Client logs in with credentials
Server verifies them, signs a token, sends it back
Client attaches the token to every future request
Server checks the signature — no database lookup
Valid + not expired → request proceeds
No session table anywhere. The auth state lives inside the token itself.

The trade-off
Can't instantly revoke a token — it's valid until it expires. Fix: short-lived access tokens + a revocable refresh token.
Payload is readable, so never put sensitive data in it. Security comes from HTTPS + safe client-side storage, not secrecy.
One-liner to remember it by
Session auth: remember who logged in, check memory each time. JWT: remember nothing, verify the proof each time.

Top comments (0)