Every full-stack interview asks "how does login work?" JWT (JSON Web Token) is the modern answer.
The flow
- User POSTs email+password
- Server verifies, signs a token:
jwt.sign({ userId: 42 }, SECRET, { expiresIn: "15m" }) - Client stores it and sends it on every request:
Authorization: Bearer <token> - Server verifies the signature โ no database session lookup needed
What's inside a JWT
header.payload.signature
// header: { alg: "HS256" }
// payload: { userId: 42, exp: 1750000000 } โ readable by ANYONE (base64)
// signature: proves it wasn't tampered withKey insight interviews test: JWTs are signed, not encrypted โ never put secrets in the payload.
Where to store it (the debate)
- localStorage: easy, but readable by any XSS-injected script
- httpOnly cookie: JS can't read it (XSS-safe) but needs CSRF protection
- Common production answer: short-lived access token + httpOnly refresh token
JWT vs sessions one-liner
"Sessions store state on the server (easy to revoke, needs sticky storage); JWTs store state in the token (stateless, scales horizontally, revocation is harder)."