JWT (JSON Web Tokens)
JWTs are compact, URL-safe tokens that contain claims about an entity. They're commonly used for stateless authentication.
Token Structure
JWTs consist of three parts separated by dots: Header.Payload.Signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Authentication Flow
- User authenticates with username/password
- Server creates and signs JWT
- Client stores JWT (usually in localStorage)
- Client sends JWT in Authorization header for subsequent requests
- Server verifies JWT signature and extracts user info
Authorization Header Example
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Pros & Cons
- ✅ Stateless (no server-side session storage)
- ✅ Compact and self-contained
- ✅ Works well with REST APIs
- ❌ Tokens can't be easily invalidated
- ❌ Larger payload size than session IDs
- ❌ Sensitive data exposure risk if not handled carefully