RadarTrek
Home/Glossary/JSON Web Token (JWT)
Security

JSON Web Token (JWT)

JWT

A signed, self-contained token that carries identity claims and can be verified without a database lookup.

Reviewed by the RadarTrek editorial team · June 2026

A JWT packs a set of claims (who the user is, when the token expires, what they're allowed to do) into a compact, signed string. Because the signature can be verified mathematically, a server can trust a JWT's contents without querying a database on every request — but that same self-contained nature means a JWT can't be "deleted" early; it's valid until it expires, unless you build a separate revocation mechanism.

Why it matters

  • JWTs trade a database lookup for cryptographic verification — fast, but it means you can't instantly revoke one without extra infrastructure.
  • Anyone can decode (not forge) a JWT's payload — it's signed, not encrypted, so never put secrets inside the claims.
  • Short expiry times plus a refresh-token flow are the standard way to limit the damage a stolen JWT can do.

Where to learn this

🎓

JWT: The Full Picture

Auth Patterns Deep Dive course

This is the exact lesson that covers this term in depth — with examples, diagrams, and a hands-on exercise.

Related terms

RadarTrek Intel — monthly score updates

We track 40+ tools so you don't have to. Score changes, new tools, and new guides — once a month, no spam.