JWT

A JWT (JSON Web Token) is three base64url-encoded segments joined by dots: `header.payload.signature`. The header declares the algorithm (HS256, RS256, ES256, EdDSA), the payload carries claims like `sub`, `iat`, and `exp`, and the signature lets the receiver verify the token was not modified and came from someone holding the key. JWTs are everywhere in modern auth: OAuth 2.0 access tokens, OIDC ID tokens, API session cookies. Common pitfalls: accepting `alg: none`, confusing HS256 (HMAC, symmetric) with RS256 (asymmetric), and treating JWTs as encrypted (they are signed, not encrypted, unless wrapped as JWE).