what is a jwt?
jwt (json web token) is a self-contained, signed token carrying authentication claims.
it has three parts:
header.payload.signaturethe server verifies the signature and trusts the payload without looking up a session.
why use it?
jwt enables stateless authentication:
- no server-side session storage
- no db/redis hit per request
- easy horizontal scaling
- works well across services and platforms
comparison
| approach | where state lives | lookup per request | revoke instantly | scales easily | common failure mode |
|---|---|---|---|---|---|
| db session | database | yes | yes | meh | db becomes auth bottleneck |
| redis session | redis | yes | yes | decent | redis outage = logout storm |
| jwt | client token | no | no (until exp) | yes | leaked token lives until expiration |
practical take
- db/redis sessions optimize control
- jwt optimizes distribution
- jwt is not “more secure”, just different tradeoffs