今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

Decoding JWT: It's Not Encryption, It's a Signature

Tanmay Upadhyay 2026年07月09日 05:17 2 次阅读 来源:Dev.to

Every API request needs to answer: who is this, and are they allowed? Session auth answers it by having the server remember every login. JWT answers it by making the client carry its own proof — no server memory needed. What's inside a token Header . Payload . Signature. Header and payload are just base64-encoded — readable by anyone, not encrypted. The signature is what matters: a hash of the header + payload, made with a secret key only the server knows. Change one character of the payload, the signature breaks, the server rejects it. Trust comes from the math, not from hiding the data. Client logs in with credentials Server verifies them, signs a token, sends it back Client attaches the token to every future request Server checks the signature — no database lookup Valid + not expired → request proceeds No session table anywhere. The auth state lives inside the token itself. The trade-off Can't instantly revoke a token — it's valid until it expires. Fix: short-lived access tokens + a revocable refresh token. Payload is readable, so never put sensitive data in it. Security comes from HTTPS + safe client-side storage, not secrecy. One-liner to remember it by Session auth: remember who logged in, check memory each time. JWT: remember nothing, verify the proof each time.

本文内容来源于互联网,版权归原作者所有
查看原文