What is JWT (JSON Web Token)? Definition & Meaning

A JWT is a compact, self-contained token used to securely transmit authentication information between your frontend and backend. After login, the server creates a JWT containing user info, and the frontend includes it with every subsequent request to prove identity — no need to check the database on every call.

JWTs are one of the most common authentication mechanisms in web applications. AI generates JWT-based auth frequently, and understanding the basics helps you verify the implementation.

How JWT Works

Login → Server creates JWT → Frontend stores JWT → Sends JWT with every request
                                                          ↓
                                              Server decodes JWT → Identifies user

What's Inside a JWT

A JWT has three parts separated by dots:

Part	Contains	Example
Header	Token type and algorithm	`{"alg": "HS256"}`
Payload	User data and claims	`{"userId": 123, "role": "admin"}`
Signature	Verification hash	Prevents tampering

JWT vs Sessions

JWT	Sessions
Stored on client	Stored on server
Stateless (no server lookup)	Requires database check
Larger request size	Smaller request size
Hard to invalidate	Easy to invalidate

Security Considerations

Never store sensitive data in JWT — Payload is encoded, not encrypted
Set expiration times — Tokens should expire (hours, not months)
Use HTTPS — Tokens in transit must be encrypted
Store securely — Use httpOnly cookies, not localStorage

For Vibe Coders

When AI generates JWT auth, verify:

Tokens have reasonable expiration times
Sensitive data isn't in the payload
Token storage uses httpOnly cookies
Refresh token flow exists for long sessions

Better yet, use an auth library that handles JWTs correctly for you.

JWT (JSON Web Token)

Example

How JWT Works

What's Inside a JWT

JWT vs Sessions

Security Considerations

For Vibe Coders