Think of a JWT as a temporary ID badge given to you after you log in. It proves who you are to a website so you do not have to type your password for every new page.

The Digital ID Card

Tokens allow servers to be 'stateless,' meaning they do not need to remember every visitor. The token carries all the necessary user info, so the server can stay light and fast.

Forgetful Servers

Every token is made of three distinct parts separated by dots. These parts work together to define what the token is, what it says, and if it is authentic.

The Three Segments

The first part of the token acts like a label on a package. It tells the system what kind of token it is and what mathematical method was used to secure it.

The Label (Header)

This is the middle section that holds the actual data, such as your username or account level. These pieces of information are called 'claims.'

The Information Pack (Payload)

The final part is a unique code that acts like a wax seal. If anyone changes a single letter in the token, the seal breaks and the server will know it has been tampered with.

The Digital Seal (Signature)

Tokens look like random gibberish, but they are actually just 'encoded' using a standard format called Base64. This makes them safe to send over the internet, but anyone can still read the contents.

Scrambled but Readable (Encoding)

To keep accounts safe, tokens are designed to 'expire' or stop working after a short time. This ensures that a stolen token cannot be used by a hacker forever.

Setting an Expiry Date

When you log in, the server creates the token and sends it to your browser. Your browser then presents that token automatically every time you ask the website for data.

The Authentication Journey

Because anyone can unscramble a token to read the payload, you should never put sensitive data like passwords inside one. Use it only for non-secret facts like a user ID.

No Private Secrets

Your browser needs a place to keep the token, such as 'Local Storage' or 'Cookies.' Picking the right storage method helps prevent hackers from stealing your ID card.

Digital Wallet (Storage)

Whenever a server receives a token, it does a quick math check on the signature. If the math does not match the data, the server immediately rejects the request.

Spotting a Tampered Token

A 'refresh token' is a special long-term key used to get a new identity token when the old one expires. This keeps you logged in smoothly without requiring a new password.

Secrets Stay Out