Quiz Entry - updated: 2026.07.05
How does token-based authentication with JWT work?
After login the server issues a signed JWT (header.payload.signature); the client stores it and sends it on every request as Authorization: Bearer <token>, and the server trusts it by re-checking the signature — no server-side session needed.
* A JWT is three Base64 parts — header.payload.signature — and the server trusts it by re-checking the signature. *
Flow:
- Client sends login credentials (username, password)
- Server validates and generates JWT from user data
- Server sends JWT back to client
- Client saves JWT in localStorage
- Client includes JWT in Authorization header:
Bearer ${JWT_TOKEN} - Server validates JWT and returns protected resources
JWT Structure (3 parts, Base64URL encoded, separated by dots):
- Header: Algorithm and token type (
{"alg": "HS256", "typ": "JWT"}) - Payload: Claims/data (
{"sub": "1234567890", "name": "John Doe", "admin": true}) - Signature: HMACSHA256(base64url(header) + "." + base64url(payload), secret)
Go deeper:
RFC 7519 — JSON Web Token (JWT) — the JWT spec: header/payload/signature and registered claims.
JSON Web Token (Wikipedia) — worked example of the three Base64URL parts and how the signature is checked.