JSON Web Tokens (JWTs) are still a pretty new standard for carrying out authentication; not everyone knows about them, and even fewer people use them. This section does not provide a theoretical excursion through the mathematical or cryptographic basics of JWTs.
In traditional web applications written in PHP, for example, you commonly have a session cookie. This cookie identifies the user session on the server. The session must be stored on the server to retrieve the initial user. The problem here is that the overhead of saving and querying all sessions for all users can be high. When using JWTs, however, there is no need for the server to preserve any kind of session id. Generally speaking, a JWT consists of everything you need to identify a user. The most common approach is to store the creation time of the token, the username, the user id, and maybe the role, such as an admin or a normal user. You should not include any personal or critical data for security reasons.
The reason a JWT exists is not to encrypt or secure data in any way. Instead, to authorize yourself at a resource like a server, you send a signed JWT that your server can verify. It can only verify the JWT if it was created by a service stated as authentic by your server. In most cases, your server will have used its public key to sign the token. Any person or service that can read the communication between you and the server can access the token and can extract the payload without further ado. They are not able to edit the content though, because the token is signed with a signature.
The token needs to be transported and stored securely in the browser of the client. If the token gets into the wrong hands, that person is able to access the affected application with your identity, initiate actions in your name, or read personal data. It is also hard to invalidate a JWT. With a session cookie, you can delete the session on the server, and the user will no longer be authenticated through the cookie. With a JWT, however, we do not have any information on the server. It can only validate the signature of the token and find the user in your database. One common approach is to have a blacklist of all the disallowed tokens. Alternatively, you can keep the lifetime of a JWT low by specifying the expiration date. This solution, however, requires the user to frequently repeat the login process, which makes the experience less comfortable.
JWTs do not require any server-side storage. The great thing about server-side sessions is that you can store specific application states for your user and, for example, remember the last actions a user made. Without a server-side store, you either need to implement these features in localStorage or implement a session store, which is not required for using JWT authentication at all.
In our example, we are going to use JWTs, since they are a modern and decentralized method of authentication. Still, you can choose to opt out of this at any point and instead use regular sessions, which can be quickly realized in Express.js and GraphQL.