JWT
What is it?
A JWT is a compact, signed token that carries claims (like who you are) and can be verified without looking anything up in a database.
Explain like I'm 5
Why was it created?
It was created to pass verifiable identity and permission information between systems in a self-contained, stateless way.
Where is it used?
- API authentication tokens
- Stateless sessions
- Passing identity between services
- OAuth/OpenID Connect tokens
Why should developers care?
JWTs are everywhere in modern auth, APIs, and microservices. Developers handle them constantly.
How does it work?
A JWT has three parts: a header, a payload of claims, and a signature. The server signs it with a secret or key; anyone with the key can verify the signature, proving the token wasn't altered.
Real-world example
After login, a server issues a JWT; the client sends it with each request, and the server verifies the signature to trust the user's identity without a database lookup.
Common use cases
- Stateless API auth
- Single sign-on tokens
- Service-to-service identity
- Short-lived access tokens
Advantages
- Self-contained and stateless
- Fast to verify
- Works across services
- Standardized format
Disadvantages
- Hard to revoke before expiry
- Payload is readable (not encrypted by default)
- Easy to misuse (e.g. storing too much, weak signing)
When should you use it?
For stateless authentication and passing identity between services.
When should you avoid it?
When you need instant revocation or to store sensitive data in the token.
Alternatives
Related terms
Interview questions
Beginner
- What is a JWT used for?
- What are the three parts of a JWT?
Intermediate
- Is the JWT payload encrypted?
- Why are JWTs hard to revoke?
Senior
- How do you handle JWT revocation and rotation?
- Why use short expiry plus refresh tokens?
Common misconceptions
- "JWT contents are secret" — the payload is only encoded, not encrypted; anyone can read it unless you encrypt it.
- "JWTs can be revoked instantly" — they're valid until expiry unless you add a denylist or keep them short-lived.
Fun facts
- JWT stands for JSON Web Token.
- The parts are Base64URL-encoded and separated by dots.
Timeline
- 2015 — JWT standardized as RFC 7519
Learning resources
Quick summary
A JWT is a signed, self-contained token carrying identity claims that any service with the key can verify without a database lookup.
Cheat sheet
- Signed token: header.payload.signature
- Stateless and self-verifying
- Payload is readable, not encrypted
- Hard to revoke — keep them short-lived