This glossary defines the most important terms used throughout the JWT Handbook.

Authentication and authorization involve many overlapping concepts, and different frameworks often use slightly different terminology. This glossary establishes consistent definitions that will be used throughout the rest of the handbook.

You don't need to memorize every definition before continuing. Instead, use this page as a reference whenever you encounter an unfamiliar term.


Access Token

A short-lived token that proves a user's identity when making requests to an API.

Access tokens are typically included in the Authorization header and are validated on every protected request.

They usually expire within a few minutes or hours.


Algorithm

The cryptographic method used to create and verify a JWT signature.

Examples include:

The selected algorithm determines how the token is signed and how its authenticity is verified.


API

An Application Programming Interface.