What is a JWT (JSON Web Token)?

A JWT is a small signed digital ticket that proves who you are to a website without the site checking a big list every time.

7 min read min de lecture

~$ man jwt

What is a JWT (JSON Web Token)?

Security gneurone encyclopedia
A JWT is a small signed digital ticket that proves who you are to a website without the site checking a big list every time.

definition

A JWT, or JSON Web Token, is a compact string made of three Base64-encoded parts: a header describing the token type and algorithm, a payload holding claims such as user ID and expiration, and a signature that proves the token has not been altered.

Servers issue JWTs after login; clients send them in request headers for later calls. The server verifies the signature with a secret or public key and trusts the claims inside without storing session data.

JWTs are defined in RFC 7519 and are widely used for API authentication because they are stateless and portable across services.

A JWT works like a stamped movie ticket that lists your seat and showtime; the theater prints and signs it once, then you show it at the door without staff looking up your name in a ledger.

key takeaways

  • JWTs are stateless so servers do not keep session records in memory or databases.
  • Each token carries its own expiration claim that limits how long it remains valid.
  • The signature prevents tampering but does not encrypt the payload contents.
  • JWTs must travel over HTTPS to avoid interception and replay attacks.
  • They are best suited for short-lived access tokens rather than long-term storage of sensitive data.

the 2026 job market

By 2026 API-first and microservice architectures continue to expand, keeping JWT skills in demand for backend, security, and platform engineering roles that design authentication layers for cloud and mobile products.

Security Engineer · $135000-$185000 USD / $115000-$155000 CAD / £75000-£105000 GBPBackend Developer · $115000-$165000 USD / $100000-$140000 CAD / £65000-£90000 GBP

frequently asked questions

How is a JWT created and verified?

A server builds the header and payload, signs them with a secret key using the chosen algorithm, and returns the resulting string. On later requests the server recomputes the signature and checks that it matches and that the token has not expired.

What information is stored inside a JWT payload?

The payload holds claims such as subject identifier, issued-at time, expiration, and any custom data like roles. It is Base64 encoded but not encrypted, so it should never contain passwords or secrets.

Can a JWT be revoked before it expires?

Standard JWTs cannot be revoked easily because they are stateless. Systems that need revocation usually combine short expiration times with a token blacklist or rotate signing keys.

What is the difference between access tokens and refresh tokens?

Access tokens are short-lived JWTs used to call protected APIs. Refresh tokens are longer-lived credentials that clients exchange for new access tokens without requiring the user to log in again.

courses to go further

Python Auth Web Security
44 lessonsPython Auth Web SecurityComing soon
$ cat ./full-guide.mdPython Auth Sécurité Web expliqué simplement (avec schémas et vrai code)read the guide →

related terms

encryption2FAcybersecurityethical hackinga pentest
< back to the encyclopedia

Auteur(s)

R

REHOUMA Haythem

Haythem Rehouma est un ingénieur et architecte IA et cloud, formateur et enseignant technique, avec un profil orienté IA médicale, AWS, MLOps, LLM/RAG et vision par ordinateur.