Security / Auth

JWT

A signed, self-contained token that proves who a user is on each request without the server looking anything up.

A JWT (JSON Web Token) is like a tamper-evident festival wristband: it carries a bit of data (who you are, when it expires) plus a cryptographic signature, so the server can trust it without a database check. Crucially it's signed, not encrypted — anyone can read what's inside, so never put secrets in it. The classic AI-generated mistake is stashing the token in localStorage where any injected script can steal it; prefer an httpOnly cookie so JavaScript can't touch it.