Tech Terms Explained Open in the app →

JWT

Security · Intermediate · 4 min read

What is it?

A JWT is a compact, signed token that carries claims (like who you are) and can be verified without looking anything up in a database.

Explain like I'm 5

A JWT is like a tamper-proof wristband at an event: it states who you are and what you're allowed to do, and staff can check it's genuine just by looking, without calling the office.

Why was it created?

It was created to pass verifiable identity and permission information between systems in a self-contained, stateless way.

Where is it used?

  • API authentication tokens
  • Stateless sessions
  • Passing identity between services
  • OAuth/OpenID Connect tokens

Why should developers care?

JWTs are everywhere in modern auth, APIs, and microservices. Developers handle them constantly.

How does it work?

A JWT has three parts: a header, a payload of claims, and a signature. The server signs it with a secret or key; anyone with the key can verify the signature, proving the token wasn't altered.

Real-world example

After login, a server issues a JWT; the client sends it with each request, and the server verifies the signature to trust the user's identity without a database lookup.

Common use cases

  • Stateless API auth
  • Single sign-on tokens
  • Service-to-service identity
  • Short-lived access tokens

Advantages

  • Self-contained and stateless
  • Fast to verify
  • Works across services
  • Standardized format

Disadvantages

  • Hard to revoke before expiry
  • Payload is readable (not encrypted by default)
  • Easy to misuse (e.g. storing too much, weak signing)

When should you use it?

For stateless authentication and passing identity between services.

When should you avoid it?

When you need instant revocation or to store sensitive data in the token.

Alternatives

Opaque server-side session tokensAPI keys

Related terms

OAuthSessionCookieHTTPS

Interview questions

Beginner

  • What is a JWT used for?
  • What are the three parts of a JWT?

Intermediate

  • Is the JWT payload encrypted?
  • Why are JWTs hard to revoke?

Senior

  • How do you handle JWT revocation and rotation?
  • Why use short expiry plus refresh tokens?

Common misconceptions

  • "JWT contents are secret" — the payload is only encoded, not encrypted; anyone can read it unless you encrypt it.
  • "JWTs can be revoked instantly" — they're valid until expiry unless you add a denylist or keep them short-lived.

Fun facts

  • JWT stands for JSON Web Token.
  • The parts are Base64URL-encoded and separated by dots.

Timeline

  • 2015 — JWT standardized as RFC 7519

Learning resources

Quick summary

A JWT is a signed, self-contained token carrying identity claims that any service with the key can verify without a database lookup.

Cheat sheet

  • Signed token: header.payload.signature
  • Stateless and self-verifying
  • Payload is readable, not encrypted
  • Hard to revoke — keep them short-lived

If you remember only one thing

A JWT is a signed token that proves identity without a database lookup — but it's readable and hard to revoke.