JWT replaces the cookie and makes APIs / Web stateless JWT Token can easily be decoded JWT has No true logout Always use: Authorization: Bearer <TOKEN> Bearer authentication scheme prevents CSRF attacks sample JWT token includes the following elements. Header : Algorithm and token type { “alg”: “HS256”, “typ”: “JWT” } Payload : data { “sub”: “1234567890”, “name”: “John Doe”, “admin”: true } Verify signature: HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) Final output: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 . eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9 . TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ Using JWT.IO we can easily decode, verify and generate JWT tokens. OAuth 2.0: Authorization Framework: Support APIs, Web, etc. OAuth 2.0 Key Components Authorization Server (Token Factory, e.g. GitHub) Resource Server (API / Microservice, e.g. GitHub API) Client (UI / Mobile / API / Microservi