Authentication & JWT

Authentication is the process of verifying the identity of a user. In a web application, this typically involves a user providing credentials (like a username and password), which the server then validates. Once a user is authenticated, the server needs a way to remember them for subsequent requests, so they don't have to log in every time they visit a new page. One common, modern approach for this is using JSON Web Tokens (JWT). JWT is a compact, URL-safe means of representing claims to be transferred between two parties. The authentication flow with JWT works as follows: 1. The user sends their credentials to a login endpoint on the server. 2. The server verifies the credentials. If they are valid, the server creates a JWT. This token contains a 'payload' of data (e.g., the user's ID and role) and is digitally signed using a secret key known only to the server. 3. The server sends this JWT back to the client. 4. The client stores the JWT (e.g., in local storage or a secure cookie). 5. For every subsequent request to a protected API endpoint, the client includes the JWT in the `Authorization` header (usually as a 'Bearer' token). 6. The server receives the request, extracts the token, and verifies its signature using the secret key. If the signature is valid, the server trusts the payload and can use the information within it (like the user ID) to process the request. This method is 'stateless' because the server does not need to store any session information; all the necessary data is contained within the token itself.