What is JWT? - Explanation & Meaning
Learn what JWT (JSON Web Token) is, how stateless authentication works, and why JWT is the standard for modern API authentication and authorization.
Definition
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe JSON object. JWTs are widely used for stateless authentication and authorization in modern web applications and APIs.
Technical explanation
A JWT consists of three parts separated by dots: header, payload, and signature. The header contains the token type and the signing algorithm used (such as HS256 or RS256). The payload contains claims, both registered (iss, exp, sub) and custom, carrying information about the user and permissions. The signature is computed by combining the header and payload with a secret (HMAC) or a private key (RSA/ECDSA). With stateless authentication, the server does not need to store session data: all required information is in the token itself. Access tokens have a short lifespan (minutes) while refresh tokens are longer-lived for obtaining new access tokens. JWTs are ideal for microservice architectures because each service can independently validate the token without a central session store. Key security considerations include: always transmitting tokens over HTTPS, setting short expiration times, not including sensitive data in the payload, and storing tokens securely (httpOnly cookies over localStorage).
How MG Software applies this
MG Software uses JWT as the standard authentication mechanism in our APIs and web applications. We implement an access/refresh token strategy with short-lived access tokens and secure httpOnly cookies for refresh tokens. In our Supabase integrations, we process JWTs for Row Level Security. For microservice architectures, we use JWTs to authenticate requests between services without a shared session store.
Practical examples
- A web application that returns a JWT access token after login with a 15-minute validity period, after which a refresh token automatically requests a new access token without requiring the user to log in again.
- A microservice architecture where each service validates incoming JWT tokens against the authentication service's public key without querying a shared database.
- A mobile app that stores JWT tokens in the operating system's secure storage and sends them with every API request in the Authorization header.
Related terms
Frequently asked questions
Related articles
What is OAuth? - Definition & Meaning
Learn what OAuth is, how this authorization protocol works, and why OAuth is the standard for secure access to APIs and third-party applications.
What is an API Gateway? - Definition & Meaning
Learn what an API Gateway is, how it manages API traffic with rate limiting and authentication, and why it is essential for microservice architectures.
What is Two-Factor Authentication? - Explanation & Meaning
Learn what two-factor authentication (2FA) is, how multi-factor authentication works, and why 2FA with passkeys is the standard for account security in 2026.
Auth0 vs Clerk: Complete Comparison Guide
Compare Auth0 and Clerk on authentication, developer experience, UI components, and enterprise features. Discover which auth platform best fits your web application.