What is JWT (JSON Web Token)?

Turkish: JWT

JWT is a signed and encoded JSON-based token standard used to carry verifiable claims between APIs, clients, and services.

What is JWT?

JWT (JSON Web Token) carries verifiable information about a user or system in a compact token. Its most common use is allowing a signed-in user to call APIs without sending a password on every request.

A JWT has three parts: header.payload.signature. The header describes the algorithm, the payload contains claims such as user ID or permissions, and the signature proves that the token has not been changed. These parts are Base64URL-encoded, not encrypted, so the payload should be treated as readable.

What to Watch For

  • Short-lived access tokens: The exp claim should limit how long a token can be used.
  • Refresh token separation: Long-lived refresh tokens need stricter storage and rotation rules.
  • Signature validation: Algorithm, issuer, and audience checks must happen on the server.
  • Sensitive data: National ID numbers, card data, and secrets should not be placed in the payload.
  • HTTPS: Requests carrying tokens must use encrypted transport.

Business Use

JWT is used in mobile app sessions, single-page applications, API access, service-to-service identity propagation, and temporary invitation links. Its stateless nature can reduce database reads for every request, but token revocation and permission changes must be planned from the start.

In OAuth 2.0 flows, JWT may be used as an access token, but OAuth 2.0 and JWT are not the same thing. OAuth 2.0 is an authorization framework; JWT is a token format. That distinction matters when designing secure API access.