JSON Web Tokens — compact, signed tokens for auth. When they are useful, when they are overrated.
Category · Security & Compliance
A signed token in plain text.
A JSON Web Token is a compact, signed data packet: header, payload and signature, base64-encoded. The signature ensures the content hasn't been tampered with — but it doesn't encrypt it. Whoever has the token can read the content.
Typically a JWT carries who the user is, when the token expires and what rights it holds. The server can verify that without querying a database on every request.
When they're useful.
JWTs play to their strength in stateless, distributed systems — for instance when several services have to verify the same identity without sharing a common session. Paired with OAuth/OIDC, they're the norm as short-lived access tokens.
We use them where statelessness is genuinely an advantage, and keep the lifetime short.
When they're overrated.
The biggest misconception: an issued JWT can't easily be revoked — until it expires, it's valid. For classic sessions with instant logout, a server-side session is often the more honest choice.
Whoever writes sensitive data into the payload or keeps tokens valid for months has misunderstood the format.
