Welcome to the JWT Handbook.

This handbook is organized as a progressive learning resource. While each chapter can be read independently, the topics are intentionally arranged so that every concept builds upon the previous one.

If you're new to JWT authentication, following the recommended reading order will provide the clearest understanding. If you're already familiar with the basics, you can use this handbook as a reference and jump directly to the chapters you need.


How This Handbook Is Organized

The handbook is divided into five major parts.

Part I — Fundamentals introduces the building blocks of JSON Web Tokens. You'll learn what JWTs are, why they were created, how they're structured, and how claims are used to represent information.

Part II — Algorithms explains how JWTs are signed and verified. You'll learn the differences between symmetric and asymmetric cryptography, understand the strengths and weaknesses of common signing algorithms, and discover how to manage signing keys securely.

Part III — Authentication focuses on real-world authentication systems. It covers login flows, access tokens, refresh tokens, authorization, logout, expiration, and stateless authentication.

Part IV — Security explores the vulnerabilities that affect JWT implementations and the techniques used to prevent them. You'll learn about common attacks, secure token storage, validation strategies, and production security practices.

Part V — Frameworks demonstrates how JWT authentication is implemented in popular JavaScript frameworks including Node.js, Express, NestJS, and Next.js.

Finally, the handbook concludes with a Cheat Sheet for quick reference and a comprehensive FAQ.


Recommended Reading Order

If you're learning JWT for the first time, read the chapters in the following order:

  1. Welcome
  2. Reading Guide
  3. Glossary
  4. What is JWT
  5. History of JWT