๐Ÿ” Node.js

JWT Authentication Explained โ€” How Login Actually Works

๐Ÿ“… Jul 2, 2026 โฑ 5 min read

Every full-stack interview asks "how does login work?" JWT (JSON Web Token) is the modern answer.

The flow

  1. User POSTs email+password
  2. Server verifies, signs a token: jwt.sign({ userId: 42 }, SECRET, { expiresIn: "15m" })
  3. Client stores it and sends it on every request: Authorization: Bearer <token>
  4. Server verifies the signature โ€” no database session lookup needed

What's inside a JWT

header.payload.signature
// header:  { alg: "HS256" }
// payload: { userId: 42, exp: 1750000000 }   โ† readable by ANYONE (base64)
// signature: proves it wasn't tampered with

Key insight interviews test: JWTs are signed, not encrypted โ€” never put secrets in the payload.

Where to store it (the debate)

JWT vs sessions one-liner

"Sessions store state on the server (easy to revoke, needs sticky storage); JWTs store state in the token (stateless, scales horizontally, revocation is harder)."

โ† All Articles