A signed, base64-encoded token format that encodes claims about a user, the standard primitive for stateless authentication.
A JWT is a compact, URL-safe token that encodes a JSON payload of claims (user ID, expiration, scopes, tenant) signed with a key the verifier can check. Once issued, the token can be passed in HTTP Authorization headers and verified statelessly, no database lookup needed. JWTs are the backbone of OAuth 2 / OIDC flows and most modern API authentication. The downside is revocation: a leaked token is valid until expiry, so short TTLs and refresh-token rotation matter.
Stateless auth scales horizontally because every backend can verify the token without a session-store round trip. The cost is operational: a key compromise invalidates every token signed with that key, and a leaked token can't be revoked mid-life. Pair JWTs with a key-rotation schedule, short access-token TTLs (under 15 min), and a revocation-list path for high-impact accounts.
See the part of the platform that handles jwt (json web token) in production.