LOGBOOK

HELP

Quiz Entry - updated: 2026.07.06

What is a JSON Web Token (JWT), and why does it enable "stateless" sessions?

A JWT (RFC 7519) is a compact, self-contained token carrying signed JSON claims — because the proof of identity travels inside the token, the server needn't store any session state.

JWT = header.payload.signature; signature protects integrity but Base64URL payload is readable.

* JWT structure: the signature protects integrity; the payload holds no secrets. *

A JWT has three Base64URL parts separated by dots: header.payload.signature.

  • Header — token type and signing algorithm.
  • Payload — the claims (e.g. sub, name, exp, scopes).
  • Signature — lets the recipient verify the token wasn't tampered with and came from the trusted issuer.

The "stateless session" benefit: with cookies the server must keep a session store to look up each SID. With a JWT, everything needed to authenticate the request is inside the token itself — the server just verifies the signature and trusts the claims. No server-side lookup, which scales well across many servers.

warning Base64 is encoding, not encryption. A standard JWT's payload is readable by anyone — never put secrets in it. The signature protects integrity, not confidentiality.

Tip: Paste a token into jwt.io to decode the header and payload instantly — a handy way to inspect the ID and Access tokens.

Go deeper:

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 06, 2026