LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How does token-based authentication with JWT work?

After login the server issues a signed JWT (header.payload.signature); the client stores it and sends it on every request as Authorization: Bearer <token>, and the server trusts it by re-checking the signature — no server-side session needed.

A JWT decomposed into header.payload.signature, the signature an HMAC of the encoded header and payload.

* A JWT is three Base64 parts — header.payload.signature — and the server trusts it by re-checking the signature. *

Flow:

  1. Client sends login credentials (username, password)
  2. Server validates and generates JWT from user data
  3. Server sends JWT back to client
  4. Client saves JWT in localStorage
  5. Client includes JWT in Authorization header: Bearer ${JWT_TOKEN}
  6. Server validates JWT and returns protected resources

JWT Structure (3 parts, Base64URL encoded, separated by dots):

  • Header: Algorithm and token type ({"alg": "HS256", "typ": "JWT"})
  • Payload: Claims/data ({"sub": "1234567890", "name": "John Doe", "admin": true})
  • Signature: HMACSHA256(base64url(header) + "." + base64url(payload), secret)

Go deeper:

From Quiz: SPRG / Authentication & Session Management | Updated: Jul 05, 2026