What is JWT and how is it validated in REST APIs?
Answer
A JWT (JSON Web Token) consists of three Base64URL-encoded parts separated by dots: header.payload.signature. The header specifies the algorithm (e.g., HS256, RS256). The payload contains claims: standard ones (sub for subject/user ID, exp for expiry, iat for issued-at) and custom ones (role, permissions). The signature is computed with a secret (HS256) or private key (RS256), allowing verification without a database lookup. Validation steps: verify the signature, check exp has not passed, check iss (issuer) and aud (audience) if set. JWTs are stateless — revocation requires short expiry times plus a refresh token mechanism or a token blacklist. Never store sensitive data in the payload — it is only encoded, not encrypted.
Previous
What are the OAuth 2.0 grant types and when do you use each?
Next
What is the difference between API keys and OAuth 2.0?
More REST API Design Questions
View all →- Intermediate What is HATEOAS and how is it implemented?
- Intermediate What are the main API versioning strategies in REST and what are their tradeoffs?
- Intermediate What are the pagination strategies in REST APIs?
- Intermediate What is rate limiting and how is it communicated in REST APIs?
- Intermediate How does HTTP caching work in REST APIs with ETag and Cache-Control?