APIs & Authentication
What is a JWT?
A JSON Web Token, a compact, signed piece of JSON used to convey claims (who the user is, what they can do) between systems.
A JWT is three base64-encoded segments joined by dots: a header (algorithm), a payload (the claims as JSON), and a signature. Anyone can read the payload (base64 is encoding, not encryption) but only a holder of the signing key can produce a valid signature, which is what lets the receiver trust the claims.
JWTs are popular for stateless auth. The server signs a token at login, the client sends it on every request, and the server verifies the signature without hitting a database. This makes horizontal scaling trivial; the cost is that revoking a JWT before it expires requires a denylist or a short token lifetime.
Common pitfalls: trusting the alg header (the "none" attack), using HS256 with a guessable secret, putting sensitive data in the payload (it's readable), and treating JWTs as opaque session tokens when a plain session cookie would have been simpler.
FAQ
JWT vs session cookie?
A session cookie is a random ID; the server looks up state in a database. A JWT carries the state in the token itself. JWTs scale better; sessions are easier to revoke.
Are JWTs encrypted?
No, just signed. The payload is base64, anyone who has the token can read it. Use JWE (JSON Web Encryption) if you need confidentiality on top of signing.
What's the difference between JWS and JWT?
JWS (JSON Web Signature) is the underlying signing format. JWT is a JWS whose payload is a JSON object containing claims. Every JWT is a JWS; not every JWS is a JWT.
Related terms
A protocol that lets users grant a third-party app limited access to their data on another service, without sharing their password.
A secret string that identifies and authenticates a client when calling an API, usually passed in a header on each request.
An Application Programming Interface, a contract that lets one program request actions or data from another in a stable, documented way.