JSON Web Token (JWT)
JWTA signed, self-contained token that carries identity claims and can be verified without a database lookup.
Reviewed by the RadarTrek editorial team · June 2026
A JWT packs a set of claims (who the user is, when the token expires, what they're allowed to do) into a compact, signed string. Because the signature can be verified mathematically, a server can trust a JWT's contents without querying a database on every request — but that same self-contained nature means a JWT can't be "deleted" early; it's valid until it expires, unless you build a separate revocation mechanism.
Why it matters
- —JWTs trade a database lookup for cryptographic verification — fast, but it means you can't instantly revoke one without extra infrastructure.
- —Anyone can decode (not forge) a JWT's payload — it's signed, not encrypted, so never put secrets inside the claims.
- —Short expiry times plus a refresh-token flow are the standard way to limit the damage a stolen JWT can do.
Where to learn this
JWT: The Full Picture
Auth Patterns Deep Dive course
This is the exact lesson that covers this term in depth — with examples, diagrams, and a hands-on exercise.