JWTs are an open, industry standard, RFC 7519 (https://tools.ietf.org/html/rfc7519.html) method for representing claims securely between two parties. The way we use them is simple. First, we authenticate to the backend server by providing a username or password. If our credentials are correct, the backend server will generate a token that will contain the user information that should be persisted in the client side using a local storage mechanism. This JWT should be passed to the server in every request so that the server can recognize who the user is and what permissions this user has; with this information, the server allows or denies the user request.

Let's understand how this works. Navigate to https://jwt.io/; scroll down a little, and you will find the example section similar to the following image:

Let's read the information from right to left. On the right, we have the Decoded section that has three sections:

• HEADER: Contains the information about the algorithm used to encrypt the token
• PAYLOAD: The piece of information that we will define and use in our application, for example, user information
• VERIFY SIGNATURE: The signature of the token; we will define a secret value to encrypt our token

In the left Encoded, we can see the result of the final token encrypted based on the information of these three sections mentioned earlier.

As you might guess, this encrypted value is calculated in our backend server. This token is delivered to the user every time they log in to the application. They save this token on the client side and then send it on every request using the Authorization HTTP header. Let's see how all this works.