What is a JSON Web Token (JWT), and why does it enable "stateless" sessions?
A JWT (RFC 7519) is a compact, self-contained token carrying signed JSON claims — because the proof of identity travels inside the token, the server needn't store any session state.
* JWT structure: the signature protects integrity; the payload holds no secrets. *
A JWT has three Base64URL parts separated by dots: header.payload.signature.
- Header — token type and signing algorithm.
- Payload — the claims (e.g.
sub,name,exp, scopes). - Signature — lets the recipient verify the token wasn't tampered with and came from the trusted issuer.
The "stateless session" benefit: with cookies the server must keep a session store to look up each SID. With a JWT, everything needed to authenticate the request is inside the token itself — the server just verifies the signature and trusts the claims. No server-side lookup, which scales well across many servers.
Base64 is encoding, not encryption. A standard JWT's payload is readable by anyone — never put secrets in it. The signature protects integrity, not confidentiality.
Tip: Paste a token into jwt.io to decode the header and payload instantly — a handy way to inspect the ID and Access tokens.
Go deeper:
RFC 7519 — JSON Web Token (JWT) — the spec defining the header/payload/signature structure and registered claims.
Wikipedia: JSON Web Token — concise overview of structure, claims, and common pitfalls.