JWT’s are digitally signed payloads, encoded in a URL-friendly string format.

A JWT can contain any payloads in general, but the most common use case is to use the payload to define a user session.

The 🔑 thing about JWTs is that in order to confirm if they are valid, we only need to inspect the token itself and validate the 🖋, without having to contact a separate server for that, or keeping the tokens in memory or in the database between requests.

If JWTs are used for Authentication, they will contain at least a user ID and an expiration timestamp.

JWT-Example.png

This might not look like JSON.

Let’s go over jwt.io and paste the JWT token into the validation tool and see the JWT payload.

JSON-Payload.png

The sub property contains the user identifier, and the exp property contains the expiration timestamp.

This type of token is known as Bearer Token [ it identifies the user that owns it and defines a user session ].

A Bearer Token is a signed temporary replacement for the username/password combination!

A hypothesis we will maintain till the end of this post is that a JWT would be considered a string containing a verifiable JSON payload, which defines a user session. 🥇 step of implementing JWT based Authentication is to issue a Bearer Token and give it to a user [ the purpose of Login / Sign up page].

Step 1️⃣

Authentication starts with a Login Page. Generally the Login Page is hosted on a separate server.

So the Login Page might be: