What is JWT (JSON Web Token)?

A JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties. Structure: three Base64URL-encoded parts separated by dots: header.payload.signature. Header: algorithm (HS256, RS256) and token type. Payload: claims (user ID, roles, expiration time). Signature: HMAC or RSA signature — verifies the token hasn't been tampered with. JWTs are self-contained — the server can verify them without a database lookup (stateless). Common use: access tokens in OAuth/OIDC flows, API authentication. Security pitfalls: (1) Algorithm confusion: validate the algorithm — never accept none. (2) Short expiration: set exp claim (15-60 minutes). (3) Secure storage: store in HttpOnly cookies (not localStorage — XSS risk). (4) Sensitive data: payload is only Base64-encoded, not encrypted — don't put secrets in it. Use JWE (encrypted JWT) for confidentiality.