How does JWT (JSON Web Token) Authentication work - Pros & Cons

JWT(JSON Web Token) is currently becoming the standard of web authorization, where the token carries all the required information along with the token and on server the information is decoded by the server using key. It is very important to understand JWT Token, JWT decode and pros and cons.

What is JWT(JSON Web Token)?

A JSON Web Token (JWT) is a compact, URL-safe way of securely transmitting information between client and server in most of the general cases.

You can understand this with an analogy of a digital boarding pass ✈️ — once you get it after logging in, you keep showing it to prove your identity until it expires.

A JWT Token has three parts:

1. Header → contains metadata (e.g., algorithm used for signing).
2. Payload → contains the actual data (like userId, email, roles).
3. Signature → verifies the token hasn’t been tampered with.

Example structure:

A JWT (JSON Web Token) is made up of three parts: Each part is Base64URL encoded and separated by dots.

<header>.<payload>.<signature>

JWT decoded Example

Here’s a sample JWT string (shortened for readability):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwicm9sZSI6ImFkbWluIiwiZXhwIjoxNzE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoded Values

When decoded, it has three JSON objects: JWT Decode Applications

1️⃣ Header

alg: Algorithm used to sign the token (HS256 = HMAC + SHA-256).

typ: Type of token (JWT).

{
  "alg": "HS256",
  "typ": "JWT"
}

2️⃣ Payload

This is the part of the token that carries the actual payload data to the server.

{
  "sub": "1234567890",
  "name": "John Doe",
  "role": "admin",
  "exp": 1716239022
}

sub: Subject (usually the user ID).

name: User’s name.

role: Role of the user (admin, user, etc.).

exp: Expiry timestamp (Unix epoch).

3️⃣ Signature

The server uses this signature to verify that the token hasn’t been altered.

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

How does JWT (JSON Web Token) Authentication work?

Here is the end-to-end JWT authentication flow 

1️⃣ User logs in with valid credentials.

2️⃣ Server validates and generates a JWT (with header, payload, and signature).

3️⃣ This token is sent back to the client and stored (usually in localStorage or cookies).

4️⃣ For every request, the client attaches the token in the "Authorization" header.

5️⃣ Server verifies the signature to ensure it hasn’t been tampered with.

6️⃣ If valid → ✅ access granted. If not → ❌ access denied.

JWT Token-based Authentication - Pros & Cons

let's understand the important advantages which JWT token provides instead of cookie-based authentication, and in which cases JWT token is not a better choice 

⚖️ Pros of JWT

✅ Stateless

1. No need for the server to store session data.

2. Works perfectly with microservices and distributed systems.

✅ Scalable

1. Easy to use with APIs, SPAs (React/Next.js), and mobile apps.

2. Doesn’t rely solely on browser cookies.

✅ Compact  & Fast

1. Base64 encoded → small enough to send in HTTP headers.

2. Less overhead compared to storing session IDs.

✅ Flexible Payload

1. Can carry custom claims like roles, permissions, tenant info, etc.

⚠️ Cons of JWT

❌ Difficult to revoke

1. Once issued, you can’t easily “kill” a token if the token gets compromised.

❌ Size bloat

1. Storing too much data in the payload can slow requests.

❌ Security risks

1. If stored in localStorage, vulnerable to XSS.

❌ Expiry handling

1. Needs proper refresh token mechanism - This is the extra effort to keep it fresh.

Learn Next

1. Notes for web authorizaion techniques