JWT
Definition
JSON Web Token - secure way to transmit information between parties as digitally signed tokens. Like having a tamper-proof ID card that proves who you are.
Use Cases
- Auth0 (Okta): Single sign-on (SSO) and API authorization for web and mobile apps — Issues signed JWT access tokens (and ID tokens in OpenID Connect) after user authentication. Applications validate the JWT signature using published JSON Web Key Sets (JWKS) and enforce scopes/claims for API access. (Enables stateless authentication across distributed services, reduces repeated password prompts, and standardizes authorization using scopes and claims.)
- Microsoft: User sign-in and API access control with Microsoft identity platform (Azure AD/Entra ID) — Uses OAuth 2.0 and OpenID Connect to issue JWTs (ID tokens and access tokens). Resource servers validate issuer, audience, expiration, and signature, then authorize requests based on roles/scopes in token claims. (Centralizes identity, supports SSO across applications, and allows APIs to validate requests without storing server-side session state.)
- Google: Service-to-service authentication for Google APIs and workloads — Uses signed JWTs in OAuth 2.0 service account flows (JWT assertion) to obtain access tokens, and uses OpenID Connect JWTs for user identity in supported flows. Services validate tokens using Google’s public keys and standard claims. (Provides secure, automated authentication for services and users, enabling scalable access to APIs without embedding long-lived credentials in code.)
Frequently Asked Questions
- What's the difference between JWT and a session cookie?
- A session cookie usually contains a random session ID, and the server stores session data in a database or cache. A JWT typically carries claims (like user ID, roles, and expiration) inside the token itself and is digitally signed so the server can verify it without looking up session state. Cookies are often used to store either a session ID or a JWT; the key difference is whether the server must store session state.
- When should I use JWT?
- Use JWT when you need stateless authentication/authorization across multiple services (microservices), APIs, or domains, especially with OAuth 2.0/OpenID Connect. JWTs are a good fit when you want APIs to validate requests by checking a signature and claims (issuer, audience, scopes, expiration) without a server-side session store. Avoid JWT for long-lived sessions that require frequent revocation or immediate logout unless you also implement short expirations, refresh tokens, and/or a revocation strategy.
- How much does JWT cost?
- JWT itself is a free standard; there is no licensing cost to create or validate JWTs using common libraries. Costs come from the surrounding infrastructure: identity provider fees (e.g., managed IAM/CIAM services), compute time for signing/verification, key management (KMS/HSM), API gateway or load balancer features, and operational costs for token rotation, monitoring, and incident response.
Category: security
Difficulty: intermediate
Related Terms
See Also