⌘K
We use cookies to improve your experience
We use essential cookies to make our site work. With your consent, we may also use non-essential cookies to improve user experience.
Definition
JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting claims between parties. JWTs consist of three Base64-encoded parts: header, payload, and signature. They are widely used for authentication and authorization in web applications and APIs.
A JWT is a string with three parts separated by dots: header.payload.signature. The header specifies the token type and signing algorithm (e.g., HS256, RS256). The payload contains claims — key-value pairs carrying information like user ID, email, roles, and expiration time. The signature verifies that the token has not been tampered with.
JWTs are the de facto standard for stateless authentication in modern web applications. After login, the server issues a JWT that the client stores (typically in an httpOnly cookie or localStorage) and sends with subsequent requests. The server can verify the token's signature without database lookups, making JWTs efficient for distributed systems and microservices.
Important security considerations: JWT payloads are Base64-encoded, not encrypted — anyone can read the payload contents. Never store sensitive data (passwords, secrets) in JWT payloads. JWTs should use strong signing algorithms (RS256 or ES256 for asymmetric, HS256 with long keys for symmetric), include expiration times (exp claim), and be transmitted only over HTTPS. Token revocation requires additional infrastructure since JWTs are stateless by design.