Examples
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQAuthorization: Bearer {jwt_token}Refresh token flow: access token (15min) + refresh token (7 days)
FAQ
Is JWT encrypted or just signed?
By default it's only signed (JWS). The payload is visible in Base64. If you need encryption, use JWE (JSON Web Encryption), but it's less common and more complex.
How do I invalidate a JWT before it expires?
JWT is stateless, you can't invalidate it directly. Solutions: (1) short expiration + refresh tokens, (2) blacklist in Redis, (3) token versioning with jti claim. All add server-side state.
Is it safe to store JWT in localStorage?
Vulnerable to XSS. If a malicious script executes, it can read localStorage. Safer alternative: HttpOnly cookies (protect against XSS but need CSRF tokens). Ideal: HttpOnly cookies + SameSite=Strict.