JWT

JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting claims between parties. It consists of three parts: header, payload, and signature.

Standard JWT (JWS) is signed but not encrypted - the payload is Base64 encoded and readable. For encryption, use JWE (JSON Web Encryption). Never store sensitive data in standard JWT.

HS256 uses symmetric key (same secret for signing and verifying). RS256 uses asymmetric keys (private key signs, public key verifies). RS256 is better for distributed systems.