Where should I store JWTs on the client?

Store access tokens in memory (JavaScript variable) and refresh tokens in HTTP-only, Secure, SameSite cookies. Avoid localStorage — it is vulnerable to XSS attacks.

Can I revoke a JWT before it expires?

Not natively, since JWTs are stateless. The common workaround is a token revocation list (blocklist) checked on each request. Keep access token lifetimes short (15 minutes) so revocation is rarely needed.

What is the difference between JWT and OAuth?

JWT is a token format; OAuth is an authorization framework. OAuth often uses JWTs as its token format, but they solve different problems. JWT defines how to encode and verify claims; OAuth defines how to delegate access between services.

JWT Authentication Explained

Stateless, signed tokens that let your API verify user identity without server-side sessions.

JWT Authentication

JWT (JSON Web Token) authentication is a stateless authentication mechanism where the server issues a signed token containing user claims (identity, roles, expiration) that the client includes in subsequent requests. The server verifies the token signature without needing to look up session state in a database.

Explanation

Traditional session-based authentication stores user state on the server: after login, the server creates a session record and sends a session ID cookie to the browser. Every subsequent request includes the cookie, and the server looks up the session to identify the user. This works but requires server-side storage and makes horizontal scaling harder — all servers need access to the session store. JWT authentication eliminates server-side session storage. After verifying credentials, the server creates a JSON object with user claims (user ID, roles, expiration time), signs it with a secret key (HMAC) or private key (RSA/ECDSA), and returns the token. The client stores it (typically in memory or an HTTP-only cookie) and includes it in the Authorization header of every request. The server verifies the signature and extracts user information directly from the token — no database lookup required. JWTs are compact, URL-safe, and self-contained, making them ideal for microservices architectures where multiple services need to verify user identity independently. However, they cannot be revoked before expiration (unlike sessions), so short expiration times combined with refresh tokens are the standard pattern. Token size can also become an issue if too many claims are included.

Bookuvai Implementation

Bookuvai projects use JWT authentication with short-lived access tokens (15 minutes) and long-lived refresh tokens stored in HTTP-only cookies. Our standard auth module includes role-based access control encoded in JWT claims, automatic token refresh, and a token revocation list backed by Redis for emergency invalidation. The auth architecture is established as part of the first milestone in every project.

Key Facts

Stateless — no server-side session storage required
Standard format (RFC 7519) supported by every major framework
Best practice: short-lived access tokens (15 min) + refresh tokens

Related Terms

Frequently Asked Questions

Where should I store JWTs on the client?: Store access tokens in memory (JavaScript variable) and refresh tokens in HTTP-only, Secure, SameSite cookies. Avoid localStorage — it is vulnerable to XSS attacks.
Can I revoke a JWT before it expires?: Not natively, since JWTs are stateless. The common workaround is a token revocation list (blocklist) checked on each request. Keep access token lifetimes short (15 minutes) so revocation is rarely needed.
What is the difference between JWT and OAuth?: JWT is a token format; OAuth is an authorization framework. OAuth often uses JWTs as its token format, but they solve different problems. JWT defines how to encode and verify claims; OAuth defines how to delegate access between services.