Glossary · auth
JWT (JSON Web Token)
Definition
JWT (JSON Web Token) is a compact + URL-safe + digitally signed token format for authenticating users. Stored on the client (cookie/localStorage) instead of a server-side session; it's the standard auth method in modern APIs + SPAs + mobile apps.
Detailed explanation
3 parts: Header (algorithm, type), Payload (claims — user_id, role, exp), Signature (server signs with secret). Format: xxx.yyy.zzz.
Stateless: the server validates JWT on every request without DB session lookup — gives horizontal scalability. Standard in microservices and serverless architectures.
Access + refresh token pattern: short-lived access token (15 min) + long-lived refresh token (7-30 days). Designed so stolen tokens expire quickly. NextAuth, Auth0, Clerk support it built-in.
Security pitfalls: localStorage JWT is XSS-exposed (prefer cookie + httpOnly + sameSite), expiry checking mandatory, signature-validation bypass is a common bug, secret leak is catastrophic.
Use cases
→REST/GraphQL API authentication
→SPA + mobile app session management
→Identity propagation between microservices
→Stateless API gateway
→OAuth 2.0 access token format
Pros
- +Stateless (no DB lookup)
- +Horizontally scalable
- +Cross-domain (CORS-friendly)
- +Standard format (RFC 7519)
Cons
- −Revocation is hard (immediate logout difficult)
- −localStorage XSS risk
- −Expiry management is fiddly
- −Token size larger than cookie
Related terms
Related services
Planning a project around JWT (JSON Web Token)?
In a 30-minute discovery call we share a written architecture + cost + team recommendation tailored to your project.
Start a discovery call