1 article with this tag
A JWT is a tamper-proof 'pass' a server issues by signing it. It has three parts — header.payload.signature — and the server verifies the signature to confirm authenticity. Watch out for: (1) always verify the signature and pin the expected alg (reject alg:none); (2) anyone can read the contents, so put no secrets in it; (3) keep expiry short and have a revocation strategy. Decoding (reading) and verifying (checking authenticity) are different things.