JWT Explained: What It Is, How It Works, and When to Use It

What Problem Does JWT Solve?

When a user logs into a website, the server needs to remember who they are for subsequent requests. The traditional solution is session cookies: the server stores session data in a database and gives the client a session ID. The problem: as your application scales to multiple servers, every server needs access to the same session database — creating a bottleneck.

JWT solves this by making authentication stateless. Instead of storing session data server-side, the server issues a token that contains the user's identity and any relevant claims. The client sends this token with every request. Any server can verify the token cryptographically without querying a database.

Anatomy of a JWT

A JWT has three parts separated by dots:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyXzEyMyJ9.signature

Part 1 (Header):  eyJhbGciOiJIUzI1NiJ9
Decoded:          {"alg": "HS256", "typ": "JWT"}

Part 2 (Payload): eyJzdWIiOiJ1c2VyXzEyMyJ9
Decoded:          {"sub": "user_123", "iat": 1700000000, "exp": 1700003600}

Part 3 (Signature): Verifies authenticity — cannot decode without secret key

How Token Verification Works

• Client sends request with JWT in Authorization header: Authorization: Bearer eyJhbG...
• Server splits the token into its 3 parts
• Server recomputes the signature using its secret key and the header+payload
• If computed signature matches the token's signature — valid
• Server checks expiry (exp claim) and other claims
• If all checks pass — request is authorised

Access Tokens vs Refresh Tokens