What is JWT

A JSON Web Token (JWT, pronounced "jot") is a compact, self-contained token for transmitting identity claims between parties. It's signed cryptographically, so the server can verify its authenticity without a database lookup.

How it works

A JWT has three base64-encoded parts separated by dots: header.payload.signature.

The header specifies the signing algorithm (e.g., HS256, RS256). The payload contains claims — key-value pairs like user ID, role, and expiration time. The signature is an HMAC or RSA/ECDSA signature over the header and payload, created with a secret key.

To verify a JWT, the server recomputes the signature using its key and compares it to the token's signature. If they match and the token hasn't expired, the claims are trusted. No database query needed — the token carries all necessary information.

The payload is base64-encoded, not encrypted. Anyone can read the claims. Never put secrets, passwords, or sensitive data in a JWT.

Why it matters

JWTs enable stateless authentication. The server doesn't need to store sessions or look up tokens — verification is a CPU operation, not an I/O operation. This scales well for microservices where multiple services need to verify identity independently. The tradeoff: JWTs can't be revoked before expiration (without maintaining a blocklist), so short expiration times and refresh token flows are essential.

See How API Authentication Works for JWT structure, signing algorithms, and refresh token flows.