JWT

Definition

JSON Web Token - secure way to transmit information between parties as digitally signed tokens. Like having a tamper-proof ID card that proves who you are.

Use Cases

Frequently Asked Questions

What's the difference between JWT and a session cookie?
A session cookie usually contains a random session ID, and the server stores session data in a database or cache. A JWT typically carries claims (like user ID, roles, and expiration) inside the token itself and is digitally signed so the server can verify it without looking up session state. Cookies are often used to store either a session ID or a JWT; the key difference is whether the server must store session state.
When should I use JWT?
Use JWT when you need stateless authentication/authorization across multiple services (microservices), APIs, or domains, especially with OAuth 2.0/OpenID Connect. JWTs are a good fit when you want APIs to validate requests by checking a signature and claims (issuer, audience, scopes, expiration) without a server-side session store. Avoid JWT for long-lived sessions that require frequent revocation or immediate logout unless you also implement short expirations, refresh tokens, and/or a revocation strategy.
How much does JWT cost?
JWT itself is a free standard; there is no licensing cost to create or validate JWTs using common libraries. Costs come from the surrounding infrastructure: identity provider fees (e.g., managed IAM/CIAM services), compute time for signing/verification, key management (KMS/HSM), API gateway or load balancer features, and operational costs for token rotation, monitoring, and incident response.

Category: security

Difficulty: intermediate

Related Terms

See Also