What is JWT?

A JSON Web Token (JWT) is a short, URL-safe string that carries information (called “claims”) about a user or system. It is digitally signed so the receiver can verify that the data hasn’t been tampered with.

Let's break it down

  • JSON: a simple text format (like a list of key-value pairs) that computers can read easily.
  • Web: means it’s meant to travel over the internet, often in web browsers or APIs.
  • Token: a piece of data you hand over to prove who you are, similar to a ticket.
  • Claims: the bits of information inside the token, such as a user ID or expiration time.
  • Digitally signed: a secret code (using HMAC or RSA) attached to the token so anyone can check it wasn’t changed.

Why does it matter?

JWT lets different services talk to each other without needing to store session data on a server. This makes apps faster, easier to scale, and reduces the risk of stolen session IDs.

Where is it used?

  • Logging into a single-page web app (the server sends a JWT after you sign in, and the browser includes it on each request).
  • Mobile apps that call a backend API - the app stores the JWT and sends it with every API call.
  • Micro-service architectures where one service needs to prove its identity to another.
  • Single Sign-On (SSO) systems that let one login give access to many separate applications.

Good things about it

  • Stateless: no need to keep session data on the server.
  • Portable: works across browsers, mobile apps, and different programming languages.
  • Self-contained: the token carries all the info needed, so the receiver can make decisions without extra lookups.
  • Secure (when signed correctly): tampering can be detected instantly.
  • Easy to invalidate by setting a short expiration time.

Not-so-good things

  • If a token is stolen, anyone who has it can act as the user until it expires.
  • Large tokens can increase request size, affecting performance on low-bandwidth connections.
  • Revoking a token before its expiration is tricky without additional infrastructure.
  • Misconfiguration (e.g., using weak signing algorithms) can expose security holes.