Authentication helps web applications verify users and control access to protected resources. A common approach is session-based authentication, where the server creates a session for each logged-in user and stores it in memory or a database. Every time the user makes a request, the server looks up their session to confirm their identity.

However, as applications grow, managing sessions becomes more challenging. Each request requires the server to check and update session data, which adds overhead and slows things down—especially for APIs and distributed systems.

JSON Web Tokens (JWTs) provide a stateless and scalable alternative. Instead of storing session data on the server, a JWT encapsulates user details inside a self-contained, digitally signed token. This allows the server to verify authentication without querying a session store, improving performance and simplifying scaling.

In this lesson, we’ll explore what JWTs are, how they work, and how to generate and issue them in an Express.js application.

Understanding JSON Web Tokens

A JWT consists of three parts, separated by dots (.):

  1. Header: It specifies the algorithm and token type.

  2. Payload: It contains user claims (user-specific information) as well as metadata.

  3. Signature: It ensures the token’s integrity and authenticity.

When encoded, a JWT typically looks like this:

Get hands-on with 1400+ tech skills courses.