interview

home / developersection / interviews / jwt working process

Ask Question
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

1 Answers

ICSM Computer

ICSM Computer

27-Jul-2025

JWT Working Process Guide

1. Client Logs In

User sends username and password or credentials to the server (typically in a POST to /login).

Below is an example of a POST request to /login.

POST /login
{
  "username": "john",
  "password": "123456"
}

2. Server Validates and Generates JWT

  • If credentials are correct, the server generates a JWT token that contains a payload (user details, roles, expiry, etc.)
  • Server signs the JWT using a secret key.

JWT Example Structure (3 parts):

xxxxx.yyyyy.zzzzz
  • xxxxx: Header (alg + type)
  • yyyyy: Payload (data such as user ID)
  • zzzzz: Signature (proves integrity)

3. JWT Sent to Client

The server returns the JWT in the response body or header.

{
  "token": "eyJhbGciOiJIUzI1NiIsInR..."
}

4. Client Stores Token

The client (typically browser/app) stores it in localStorage, sessionStorage, or cookies.

5. Client Sends JWT in Requests

For every subsequent request to secured endpoints, the client includes the token in the Authorization header:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR...

6. Server Verifies JWT

  • The server verifies:
    • Signature validity (via secret key)
    • Token expiration (exp field)
    • Optional claims such as aud, iss, etc.
  • In case of being valid, access is permitted.
     

7. If Token Invalid/Expired

Server sends back 401 Unauthorized.

Example JWT Payload (Decoded)

{
  "sub": "1234567890",
  "name": "John Doe",
  "role": "admin",
  "exp": 1722460400
}

Security Tips

  1. Use HTTPS always.
  2. Store the secret key securely.
  3. Use short expiration (exp) for access tokens.
  4. Use refresh tokens if required for re-authentication.
advertising
advertising

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy