JWT (JSON Web Token)
JSON Web Token
A compact, JSON-based digital token format for securely passing information between parties.
In Simple Terms
JWT is a data format used in web services to prove that a user is logged in. For example, when you log in to a mobile app once and then open a different screen without having to re-enter your password, it's because a JWT is embedded in the communication, acting as a certificate that says 'this is the verified user.' Because it's protected by a digital signature, any attempt to tamper with the contents is detected immediately.
Behind the Name
JWT (pronounced 'jot') is a data format for securely exchanging JSON-based data over the web. It has two common pronunciations — 'jot' and 'J-W-T' — with the official specification (RFC 7519) recommending 'jot,' just like the English word.
Take a Closer Look!
JWT is a data format designed to exchange information securely and compactly between different systems.
It acts like a container for safely carrying JSON-formatted data.
In the commonly used signed form, the data is split into three parts — 'header,' 'payload,' and 'signature' — joined by dots.
The header specifies the signing algorithm, the payload holds the actual data such as user information, and the signature contains information that verifies the data has not been tampered with.
The key feature is that the server does not need to keep track of each individual user's state — simply receiving this token is enough to determine whether the request comes from a legitimate user.
This allows large-scale services running across many servers to manage login sessions efficiently.
However, in this standard signed form, the data itself is not encrypted — anyone with the right tools can read its contents.
For this reason, an important rule is to never include sensitive secrets, such as passwords, directly inside the token.