Reference Explainer
JWT
JSON Web Tokens are signed claims used for stateless authorization.
What It Is
- JWTs contain header, payload, and signature segments separated by dots.
- Claims like exp, iat, and nbf control token validity windows.
- A decoder can parse claims, but only signature verification confirms trust.
Common Pitfalls
- Assuming decoded payloads are verified.
- Not validating issuer and audience claims.
- Long-lived tokens without rotation or revocation strategy.