WTF Are JWTs?

JSON Web Tokens (JWTs) have become a foundational element in modern web authentication and authorization, offering a stateless, compact, and self-contained way to transmit information securely between parties. Emerging in the early 2010s, JWTs addressed the scalability and cross-domain limitations of traditional session-based authentication, becoming standardized in 2015 as RFC 7519. JWTs consist of three base64-encoded parts: the header, which includes metadata about the token; the payload, which contains claims about the user and session; and the signature, which ensures the token's authenticity. These tokens are particularly beneficial in microservices architectures to verify user identity without relying on a shared session database. JWTs are signed but not encrypted by default, providing authenticity and integrity but not confidentiality. They integrate smoothly with platforms like Neon RLS, which uses JWT claims to enforce row-level security policies, ensuring users access only their authorized data. For secure verification, JWTs rely on JSON Web Key Sets (JWKS) to manage cryptographic keys, allowing for key rotation and trust verification. Although they are not encrypted, JWTs can be used securely by storing non-sensitive identifiers within the token and accessing sensitive data through the database when needed.