Stands for JSON web tokens.
Is mostly stored in client, e. g. in memory or local storage.
- User logs in with credentials
- Server verifies credentials and creates JWT
- Server sends JWT to client
- Client includes JWT in Authorization header. This is often done automatically for further requests.
- Server verifies JWT signature on each request. Based on the unique token, the server knows who the user is. The token usually contains the user id, so the server gets all the information from the token.