A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between two parties.
It is one of the most widely adopted standards for authentication and authorization in modern web applications, APIs, mobile apps, and distributed systems.
At its core, a JWT is simply a string. However, that string contains structured data and a cryptographic signature that allows another system to verify that the information has not been modified.
Unlike traditional session identifiers, a JWT can carry information about the authenticated user directly inside the token itself.
JWT stands for JSON Web Token.
The format is defined by RFC 7519, an Internet standard published by the Internet Engineering Task Force (IETF).
According to the specification, a JWT is:
"A compact, URL-safe means of representing claims to be transferred between two parties."
There are three important ideas in that definition:
Everything else builds on these concepts.
Before JWT became popular, most web applications relied on server-side sessions.
The authentication flow looked something like this: