# Web Concepts

Various web concepts about protocols, features and other interesting things.

# JWT - JSON Web Token

Source : JWT.io

🔐 Used for Authorization, not for Authentication

JWTs are commonly used to ensure that the user making a request to the server is the same user who originally logged in.

# What it Looks Like

A JWT is composed of three parts:

Header
Payload (Body)
Signature

Specifies the algorithm used to sign the token:

{
  "alg": "HS256",
  "typ": "JWT"
}

# 📦 Payload (Body)

Contains the claims, which are statements about the user:

username
id
roles
iat (issued at)
exp (expiration date)

These values are not encrypted, only base64-encoded. Anyone with the token can read them.

# 🧪 Signature

Used to verify that the token is valid and has not been tampered with.

The server signs the token using a secret key. It does not store the token. It only needs the secret to verify incoming tokens.

If the token’s signature matches the one the server generates using its secret, the token is considered valid and trusted.

If you are working with multiple servers (such as in a distributed environment), they must use the same secret or private key to verify tokens consistently.

💡 Note: Never store sensitive data in a JWT. Anyone can decode the payload.

# Web Concepts

# JWT - JSON Web Token

# What it Looks Like

# 🧾 Header

# 📦 Payload (Body)

# 🧪 Signature