A JSON Web Token (JWT) is a compact, self-contained token format used to securely transmit authentication and authorization information between two parties, typically a client and a server. Defined by the open standard RFC 7519, a JWT encodes a set of claims as a JSON object and signs it cryptographically, allowing the receiving party to verify both the token's authenticity and its integrity without querying a central database.
How a JWT Is Structured
A JWT consists of three parts separated by dots: a header, a payload, and a signature. The header specifies the token type and the signing algorithm being used, such as HMAC SHA-256 or RSA. The payload contains the claims, which are statements about the user or session - for example, a user ID, their role, or the token's expiration time. Both the header and payload are Base64URL-encoded, making the token URL-safe and compact enough to be passed in HTTP headers or query strings. The signature is generated by combining the encoded header and payload with a secret key, ensuring that the token cannot be tampered with undetected.
How JWTs Are Used in Authentication
In a typical web authentication flow, a user logs in with their credentials and the server responds by issuing a JWT. The client stores this token, commonly in memory or local storage, and attaches it to subsequent requests, usually in the Authorization HTTP header using the Bearer scheme. Because the server can verify the token's signature locally without looking up session data, this approach is well-suited to stateless architectures such as REST APIs and microservices.
JWTs are frequently used alongside OAuth 2.0, where they serve as access tokens or ID tokens in flows such as OpenID Connect. In that context, the JWT carries verified identity information about the authenticated user directly within the token itself.
Security Considerations
Because a JWT is self-contained, it cannot be invalidated server-side once issued, unless additional infrastructure such as a token blocklist is maintained. This makes token expiration times an important design consideration: shorter-lived tokens reduce the window of exposure if a token is compromised. Sensitive data should never be stored in the payload, since the payload is encoded but not encrypted by default - anyone who obtains the token can decode and read its contents. Encryption can be added using the related JWE (JSON Web Encryption) standard when confidentiality is required.
When implemented carefully, JWTs offer a scalable and interoperable mechanism for managing authentication state across distributed systems, making them one of the most widely adopted token formats in modern web development.