JWT
JSON Web Token: a compact, self-contained token for transmitting claims between parties. The server can verify it without a database lookup.
What is JWT?
JSON Web Token: a compact, self-contained token for transmitting claims between parties. The server can verify it without a database lookup.
JWT is a intermediate-level concept that sits in the Security Architecture area of system design. Engineers reach for it whenever they need to reason about real-world trade-offs in that space — not just for textbook correctness, but because real production systems at companies like Netflix, Amazon, and Google make these decisions every day.
If you want to go deeper than this definition — with diagrams, code, and a quiz to lock it in — work through the "JWT" lesson linked below. It walks through the why, the mechanism, the trade-offs, and how the giants actually use it in production.
Learn JWT in depth
Full interactive lesson with diagrams, code examples, real-world references, and a quiz.
Open the JWT lessonRelated lessons
Lessons that touch on JWT as part of a larger topic.
JWT Sessions
Using JWTs as session tokens: the trade-offs, pitfalls, and best practices
intermediate · security architecture
Session Management
How servers remember who you are between requests in a stateless protocol
foundation · core fundamentals
Distributed Session Management
Managing user sessions across multiple servers, sticky sessions, centralized stores, and token-based approaches
intermediate · security architecture
Service-to-Service Authentication
How microservices prove their identity to each other, mTLS, JWTs, API keys, and SPIFFE
intermediate · security architecture
See also
Related glossary terms you might want to look up next.
OAuth
An authorization framework that lets users grant third-party apps limited access to their accounts without sharing passwords. Powers 'Sign in with Google.'
Session
A way to maintain state across multiple HTTP requests. The server stores data about a user and gives them a session ID (usually in a cookie).
Stateless
A system where each request contains all the information needed to process it. The server doesn't remember previous requests. Easier to scale horizontally.