Exploring JWT

Sneha BhandariSneha Bhandari
4 min read

When I started learning the MERN stack, the first time I heard about authentication, I got confused. As a beginner, it will be confusing — until you practice it in real projects.

One of the methods used for authentication is JWT. So, in this blog, let’s understand what JWT is, why it’s used, and how it works — without writing a single line of code.

But before we dive into what, how, and why, let’s understand what authentication is.

What is Authentication?

Authentication is the process of verifying who someone is.

In simple terms — think about Login or Sign-in.

That’s it. You enter credentials, and the system checks if you are who you say you are.

Now for implementing authentication, one common method is token-based authentication, and one of the ways to do that is by using JWT.

Token-Based Authentication

As beginners, we usually come across two common authentication methods:

  1. Session-based authentication

  2. Token-based authentication — this is where JWT comes in.

Token-based authentication is like this:

  • When a user logs in or signs up on your website, a token is created for that user.

  • This token is stored on the user’s browser.

  • The next time the user visits your site, this token is used to verify them.

This whole process is called token-based authentication, and JWT is one of the most common ways to do it.

What is JWT?

JWT stands for JSON Web Token.

It’s used for authentication, to verify who the user is.

Look at this random string:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.
KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30

You may ask: What is this?

Well, that’s a JWT token. It’s a URL-safe string.

Let’s Understand the Process

  • A user signs up on your website.

  • They automatically get logged in.

  • Now, imagine they scroll for a bit and close the tab, but when they come back, they’re still logged in.

  • Or when they go to a different page, it doesn’t ask them to log in again.

How does this happen?

This is where JWT comes in.

Let me explain it one more time:

  • There is a client (the user) and a server (your website backend).

  • The client signs up and logs in for the first time.

  • This request is received by the server.

  • Now, the server needs to keep track of the user — so the server creates a token (JWT) and sends it to the client.

  • The client/browser stores this token.

  • And every time the client makes a request, the token is sent along.

  • This way, the server knows: “Oh yeah, this is the same person.”

So, basically:

The token (JWT) is like a key that the server gives the client to prove their identity every time they talk.

Diagram created using Excalidraw

Structure of a JWT

JWT has three parts, separated by dots (.):

header.payload.signature

1. Header

  • Contains metadata like the algorithm (e.g. HS256) and token type (JWT).

2. Payload

  • Contains user-related data.

3. Signature

  • This is what protects the token from being tampered with (damaged or altered).

The signature ensures that if someone changes the payload, the server will detect it and reject the token.

Understanding Process

So, earlier I said the server sends a token to the user, and the user sends it back with every request.

But there could be thousands of users doing the same thing.

How does the server know who is who?

It’s because:

  • The token has user info inside the payload.

  • And every time the user makes a request, that info comes along in the token.

  • So, the server checks it and says — oh, it’s you again!

Also, servers are stateless — they don’t remember anything. So, each time, you have to say:

“Hey server, here’s my token. It’s me.”

And the server checks the signature and payload and goes:

“Yep. I know you. Welcome back.”

Is JWT Secure?

Yes and no.

  • It’s signed (marked with a signature), so no one can tamper(damage) with it.

  • But it’s not encrypted, so anyone can decode it and see what’s inside using tools like jwt.io.

So never store passwords or sensitive data inside a JWT.

Summary

  • JWT is used in token-based authentication

  • It has three parts: header, payload, signature

  • It is signed, not encrypted — meaning data is visible but secure from tampering

  • It should never store critical info like passwords

  • It enables stateless authentication, which is great for scalable apps

Thanks for reading!
This is my first blog, and I’m just starting out. If you’re also learning the MERN stack or have feedback, I’d love to hear from you. Let’s keep growing together!

Stay tuned — more coming soon as I build and learn!

11
Subscribe to my newsletter

Read articles from Sneha Bhandari directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Developerdevelopmenttoken

Written by

Sneha Bhandari
Sneha Bhandari