Background, Definition, Structure, and Authentication Process of JWT (JSON Web Token)

Background and Definition

JWT stands for JSON Web Token. It is a web token technology that uses JSON format to transmit data. Like other tokens, JWT can be used for user login authentication and serves as an open standard for identity verification and authorization. Its compact, self‑contained format allows secure information exchange between parties, and the data can be verified and trusted because it is digitally signed.

Difference Between JWT and Traditional Tokens

Traditional stateful tokens require a database lookup to validate each request because the server must store session information. JWT is a stateless token: user information is embedded in the token itself, and the server only needs a secret key to verify the signature, eliminating the need for database queries.

Because the server does not store user data, JWT reduces server load and simplifies scaling in distributed environments.

Composition of JWT

JWT consists of three parts, each Base64URL‑encoded and separated by dots:

Header : a JSON object describing the token type and signing algorithm, e.g., {"alg":"HS256","type":"JWT"} .

Payload : contains standard claims (iss, sub, aud, exp, nbf, iat, jti) and any custom private claims. The payload is only Base64‑encoded, not encrypted, so it should not contain sensitive data.

Signature : generated as HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret) . The signature ensures integrity and prevents tampering.

JWT Authentication Flow

User logs in and sends credentials (typically via HTTPS POST).

Server validates credentials, creates a JWT containing user information in the payload, signs it, and returns the token to the client.

Client stores the JWT (e.g., in localStorage or SessionStorage).

For subsequent requests, the client includes the JWT in the Authorization header.

Server verifies the token’s signature, expiration, audience, etc., without needing a database lookup.

After verification, the server extracts user information from the payload and proceeds with the requested operation.

Advantages of JWT

Lightweight and easy to parse.

Highly extensible – custom claims can be added.

Stateless – no server‑side session storage, reducing load.

Cross‑domain support and portability across platforms.

Broad language support and standardization.

Disadvantages of JWT

Cannot be revoked or disabled before expiration; compromise of the secret key is critical.

Token size can grow with many claims, increasing bandwidth.

Security depends entirely on secret management.

Stateless nature makes usage analytics harder for the backend.

Comparison with Cookie, Session, and Token

Cookie: client‑side storage, size‑limited, stateful, vulnerable to CSRF/XSS.

Session: server‑side storage, higher resource cost, suitable for high‑security scenarios.

Token/JWT: client‑side storage, stateless, suitable for distributed systems and SPA architectures.

Application Scenarios

Cookie : tracking user behavior, personalization, shopping carts.

Session : high‑security applications such as online banking, where server‑side state is required.

Token : cross‑domain authentication, mobile apps, REST APIs.

JWT : single sign‑on (SSO), micro‑service authentication, SPA front‑end/back‑end separation, distributed systems.