What is JWT (JSON Web Token)?
Turkish: JWT
JWT is a signed and encoded JSON-based token standard used to carry verifiable claims between APIs, clients, and services.
What is JWT?
JWT (JSON Web Token) carries verifiable information about a user or system in a compact token. Its most common use is allowing a signed-in user to call APIs without sending a password on every request.
A JWT has three parts: header.payload.signature. The header describes the algorithm, the payload contains claims such as user ID or permissions, and the signature proves that the token has not been changed. These parts are Base64URL-encoded, not encrypted, so the payload should be treated as readable.
What to Watch For
- Short-lived access tokens: The
expclaim should limit how long a token can be used. - Refresh token separation: Long-lived refresh tokens need stricter storage and rotation rules.
- Signature validation: Algorithm, issuer, and audience checks must happen on the server.
- Sensitive data: National ID numbers, card data, and secrets should not be placed in the payload.
- HTTPS: Requests carrying tokens must use encrypted transport.
Business Use
JWT is used in mobile app sessions, single-page applications, API access, service-to-service identity propagation, and temporary invitation links. Its stateless nature can reduce database reads for every request, but token revocation and permission changes must be planned from the start.
In OAuth 2.0 flows, JWT may be used as an access token, but OAuth 2.0 and JWT are not the same thing. OAuth 2.0 is an authorization framework; JWT is a token format. That distinction matters when designing secure API access.
Related Terms
An API key identifies an application or developer and supports quota tracking, access limits, and basic server-to-server security.
API (Application Programming Interface)An API is a contract that lets software systems request approved data or actions from one another through documented endpoints.
CookieA cookie is a small browser-stored value tied to a domain, used for sessions, preferences, consent, and limited tracking.
CSRF (Cross-Site Request Forgery)CSRF tricks a logged-in user's browser into sending an unwanted state-changing request, often by abusing automatic cookies.
Mobile App SecurityMobile app security protects application code, API traffic, sessions, and on-device data from abuse and compromise.
OAuth 2.0OAuth 2.0 is an authorization framework that allows third-party applications to access resources without the user's password.
SessionA session links a user's identity and temporary state across requests in a web application, using server-side or client-side storage.
Token RefreshToken refresh obtains a new short-lived access token with a refresh token, keeping sessions active without asking users to log in again.