A JWT, or JSON Web Token, is a compact, digitally signed token used to represent claims between a client and a server. JWTs are commonly used in authentication systems to prove that a user has already logged in. The token contains a header, payload, and signature, all encoded in a URL safe format. Backends validate the signature to ensure the token has not been tampered with. Because JWTs are stateless, servers do not need to store session data, making them convenient for distributed systems.
how it works
After a user authenticates, the server generates a JWT containing information such as the user ID and expiration time. The token is then returned to the client, often stored in a cookie or authorization header. On subsequent requests, the client sends the token, and the server verifies its signature using a secret key or public key. If the token is valid, the server treats the user as authenticated. JWTs can include custom claims that describe roles or permissions. However, long lived or poorly validated tokens can create security risks.