What is a JWT?
A JWT (JSON Web Token) is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. Defined by RFC 7519, JWTs are digitally signed — using either a symmetric secret (HMAC) or an asymmetric key pair (RSA or ECDSA) — which means their contents can be verified and trusted. JWTs are widely used for authentication and authorization in modern web applications and APIs, often serving as bearer tokens in the OAuth 2.0 framework.
JWT Structure
A JWT consists of three parts separated by dots: a header, a payload, and a signature. The header specifies the token type and signing algorithm (e.g., {"alg": "RS256", "typ": "JWT"}). The payload contains claims — statements about the user and metadata such as the subject (sub), issued-at time (iat), expiration time (exp), and custom claims like user roles or permissions. The signature is created by encoding the header and payload, then signing them with the specified algorithm and a secret or private key. The resulting token looks like xxxxx.yyyyy.zzzzz.
Advantages of JWTs
JWTs are self-contained, meaning the server can validate the token and extract user information without querying a database or session store on every request. This stateless property makes JWTs particularly well-suited for distributed systems and microservices architectures where sharing session state across servers is impractical. They are compact enough to be sent in HTTP headers, URL parameters, or cookies. The standardized format ensures interoperability across different languages, frameworks, and platforms.
Security Considerations
Despite their popularity, JWTs require careful handling. Tokens should always have a reasonable expiration time to limit the damage if they are compromised. Since JWTs are only encoded (Base64URL), not encrypted, sensitive data should never be placed in the payload unless the token is also encrypted (JWE). Applications must validate the signature, check expiration, and verify the issuer and audience claims. The none algorithm should be explicitly rejected to prevent signature bypass attacks. For scenarios requiring immediate token revocation, a token denylist or short expiration with refresh tokens is necessary, since JWTs cannot be invalidated server-side by default.