Dallonses logo

JWT (JSON Web Token)

What is a JWT?

A JSON Web Token is a compact, signed token that carries a small set of claims, typically who the user is and what they are allowed to do. It has three parts: a header, a payload of claims, and a signature. The server signs it with a secret or private key, hands it to the client after login, and the client sends it back with each request. The server verifies the signature and trusts the contents without looking anything up.

That last point is the whole appeal. A traditional session stores state on the server and checks the database on every request. A JWT is self-contained, so any server holding the verification key can validate it, which suits APIs and distributed systems where there is no shared session store. The payload is signed, not encrypted, so it is readable by anyone who holds the token, which means secrets never go inside it. The hard part is revocation: because the token is valid until it expires, you cannot simply delete a session to log someone out. After signing in to an API, a client receives a JWT and attaches it to every subsequent call, and the server reads the user's identity straight from the verified token.

JWTs usually pair short-lived access tokens with longer-lived refresh tokens to balance convenience against the revocation problem.

JWTs at Dallonses

We use JWTs where they fit, which is stateless API authentication across services, and we are deliberate about where they do not fit. Short expiry on access tokens, refresh tokens handled carefully, and no sensitive data ever stuffed into a payload that anyone can decode. The revocation gap is real, so we design for it rather than discovering it the day a client needs to force-log-out a compromised account.

Authentication is one of those areas where a small mistake becomes a security incident, so we treat it as core engineering, not a library you wire up once. Token storage, expiry, refresh flows, and signature validation all get the same scrutiny as the rest of our custom web application development and API-first development work. The goal is auth that is invisible when it works and impossible to bypass when someone tries.

Building authentication into an API and want it done right? Let's get the token strategy solid.

Talk to us about auth

Related services

Related works

Spring GDS 25th Anniversary

A logistics company that ships to 190 countries built something to ship to itself.

Vizitio

Turning a brand into a working business.

Access Ticket

Half a million people. One app. Zero chaos.

Ready to work together?

Book a meeting
Aymón holding a Tools magazine in front of their facem
Ari working on a laptop outdoors surrounded by plants
Top-down view of a wooden desk with a keyboard, mouse, and headphones
Hand-drawn illustration of a hand snapping fingers
Nico leaning against a water cooler next to a fire extinguishe
Close-up of an open computer with circuit board and components on a wooden desk
Bernat and Andreu collaborating at a desk with monitors and a laptop
Hand-drawn illustration of an open hand waving
Aymón holding a Tools magazine in front of their facem
Ari working on a laptop outdoors surrounded by plants
Top-down view of a wooden desk with a keyboard, mouse, and headphones
Hand-drawn illustration of a hand snapping fingers
Nico leaning against a water cooler next to a fire extinguishe
Close-up of an open computer with circuit board and components on a wooden desk
Bernat and Andreu collaborating at a desk with monitors and a laptop
Hand-drawn illustration of an open hand waving