# JSON Web Token or JWT (Summary Notes) ## What is JWT used for? Use for *Authorization* not for Authentication. Authentication is checking username and password. *Authorization* is actually making sure that the user send the request is the same user that login during Authenication. ## Why do we should use JWT? JWT is signed by its own secret key so they can check whether it is tampered or not. The user information is stored in JWT instead of storing in the server (advantage over traditional session ID). ## JWT structures ### Header Algorithms information. Do not matter that much. ### Payload Normally, it consists of the userId, data being sent with, and the date that JWT was initialized. ### Verify signature Combine header and payload. Using algorithms to encode the information by its secret key