What is JSON Web Token?

A JWT consists of three base64url-encoded parts separated by dots: a header (specifying the signing algorithm), a payload (containing claims — key-value pairs like user ID, roles, and expiration time), and a signature (computed over the header and payload using a secret or private key). The signature allows any party with the verification key to confirm the token has not been tampered with.

JWTs are widely used as bearer tokens in API authentication. After a user logs in, the server issues a JWT containing their identity and permissions. The client includes this JWT in subsequent requests (typically in the Authorization header), and the server verifies the signature without needing to query a database or session store. This stateless property makes JWTs attractive for distributed systems and microservice architectures where sharing session state across services is impractical.

JWTs carry important security considerations. Because the payload is only base64-encoded (not encrypted), anyone who intercepts a JWT can read its contents — never put secrets in JWT payloads unless using JWE (JSON Web Encryption). Tokens must have short expiration times because they cannot be easily revoked once issued. Algorithm confusion attacks, where an attacker changes the header to "none" or swaps asymmetric for symmetric verification, have been a recurring vulnerability in JWT libraries.

How Vaulted uses JSON Web Token

Vaulted does not use JWTs for authentication or session management, as it has no user accounts. However, JWTs and other bearer tokens are frequently shared credentials that need secure transmission — for example, sharing a long-lived API token or a service-to-service JWT secret with a colleague during an incident. Vaulted provides encrypted, self-destructing delivery for these tokens, ensuring they do not persist in communication channels.