What is JWT (JSON Web Token)?

A compact, URL-safe token format for transmitting claims between parties, cryptographically signed by the issuer.

Full explanation

A JWT has three parts: header (algorithm + type), payload (the claims), and signature (HMAC or asymmetric). JWTs are used for session tokens, OAuth access tokens, and OpenID Connect identity tokens. Verification requires pinning the algorithm, checking the signature, and validating claims (issuer, audience, expiration). Missing any of these is how most JWT bugs ship.

Example

`eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIxMjM0IiwiZXhwIjoxNzA...` — header + payload + signature, base64url-encoded.

Related

Guide
JWT verification — the five ways apps get it wrong
Guide
OAuth + OIDC security — the PKCE and state checks you cannot skip
CVE
CVE-2024-28176

FAQ

Should I use JWT for sessions?

Server-side sessions with a short cookie are simpler and easier to revoke. Use JWT for cross-service auth and public APIs where statelessness matters.