NOTE : This is my first post, so apologies in advance if I’ve misunderstood something.I’m open to discussions and corrections
Have u guys ever feel the magic of authorization and secure information transfer (via signing) like which resource is allowed for your use and what is not under your access or u want to transfer sensitive information then how we know that they have encrypted them or not
WELL, JWT is widely used in modern web applications
What is JWT?
JWT stands for JSON Web Tokens defines a compact and self-contained way for securely transmitting information between parties as a JSON object.This information can be verified and trusted because it is digitally signed.
JWT are short lived they expire after some time which make them special.
Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties.
USE OF JWT ?
JWT is majorly used in authorization and information exchange
1>Authorization: it is most common use case of JWT . it is related to access routes, services, and resources that are permitted with that token. there is a difference between authentication and authorization well both use jwt but authentication is like you want to verify the user but authorization is related to access to resources.
Authentication → verifies who the user is
Authorization → determines what the user is allowed to access
2>Information Exchange: It is like securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are.
Structure of JWT ?
A JWT consists of three parts, separated by dots (.):
1> HEADER: Contains metadata about the token
{
"alg": "HS256",
"typ": "JWT"
}
2> Payload: Contains the actual data (claims)
{
"userId": 123,
"email": "user@example.com",
"role": "admin",
"exp": 1712345678
}
3>Signature: Used to verify that the token was not tampered with.
HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret_key
)
How JWT Authentication Works (Flow)?
- User logs in with email & password
- Server verifies credentials
- Server generates JWT using a secret key
- JWT is sent to client
- Client stores JWT (cookie / localStorage)
- Client sends JWT in Authorization header for every request
- Server verifies JWT and allows access
Advantages of JWT :
- Stateless authentication (no DB lookup per request)
- Fast & scalable
- Easy to use across microservices
- Works well with REST APIs & mobile apps
Disadvantages of JWT :
- Token cannot be revoked easily
- If token is stolen, attacker gets access
- Payload is readable (not encrypted)
- Large tokens increase request size
JWT in Express.js :
Generate Token
const jwt = require("jsonwebtoken");
const token = jwt.sign(
{ userId: user._id },
process.env.JWT_SECRET,
{ expiresIn: "1h" }
);
Verify Token (Middleware)
const verifyToken = (req, res, next) => {
const token = req.headers.authorization?.split(" ")[1];
if (!token) return res.status(401).json({ message: "No token" });
jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
if (err) return res.status(403).json({ message: "Invalid token" });
req.user = decoded;
next();
});
};
Final Thoughts:
JWT is powerful, fast, and widely adopted — but only when used correctly.
Understanding how it works internally helps in designing secure and scalable systems.
I’m starting this as a learning hobby to improve my knowledge and connect with talented people.
Feedback and suggestions are always welcome
Top comments (0)