What is JWT?

JWT stands for JSON Web Token, it is an open standard used to share security information between two parties.

Basically, a JWT token contains 3 parts:

1. Header

   Describing the algorithm used in the JWT like HS256, HS512, RS256, etc.

2. Payload

   Storing the actual data

3. Signature

   A data signature used to verify whether the data is valid or not

These 3 parts form a JWT token for a client and a server to verify each other. A valid JWT token has 3 parts and is separated by a dot. For example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

JWT Use Case

JWT is commonly used in API Authentication. We can store the User ID in the JWT token and the client can leverage that token to talk to the server. The server will decode the JWT and read the User ID from the JWT token and verify its identity.

When Not to Use JWT?

1. Sensitive data

   If you have sensitive data, JWT might not be a good solution for you. When using JWT, we need to store the JWT token on the client-side. People can read the payload by using a JWT decoder like jwt.io. So, don’t use JWT if you have sensitive data.

2. The size is too large

   Avoid using JWT if your data size is large because it might affect your frontend application. Cookie might not have enough space to store large size of data since it has a size limitation. Also, it will affect API performance as the HTTP request needs to transmit large data to your server.