Token define

Share on facebook
Share on twitter

What Is JWT and Why Should You Use JWT

284 333 views | 27 Jul. 2019

JSON Web Tokens (JWT) are

JSON Web Tokens (JWT) are talked about all the time, but what exactly are they and how do they work. In this video I will explain in depth exactly what JWT is, how it works, why it is secure, and when you should use it. We will go through multiple visual demonstrations of exactly how and why JWT works. We will also compare JWT to the more common and traditional session based user authorization. By the end of this video you will have a complete understanding of JWT, how it works, and when you should use it.

? Materials/References:

JWT Authentication Implementation Video: https://youtu.be/mbsmsi7l3r4

JWT Playground: https://jwt.io/

? Concepts Covered:

- What JWT is

- JWT vs Session

- The components of JWT

- How JWT is secure

- When you should use JWT

- The advantages of JWT

? Find Me Here:

My Website: https://webdevsimplified.com

Patreon: https://www.patreon.com/WebDevSimplified

Twitter: https://twitter.com/DevSimplified

Discord: https://discord.gg/7StTjnR

GitHub: https://github.com/WebDevSimplified

CodePen: https://codepen.io/WebDevSimplified


chandraguptha rajah


Tshepo Mokgoatjane

Nice one Kyle, you speak so clearly and sound highly knowledgeable about JWT. Really appreciate the effort you put into your videos. Awesome. Keep up the good work.

Halil Sekeroglu

Thanks ?

Vivek Chandraprakash

Thank you for the awesome introduction to JWT.

Lasindu Nuwanga


Ayman Alshanqiti

thank you so much

Hoai Phuc

Maaf ya allah hamba liat ini.



Just a question...
A user is using 3 different (but valid) tokens/connections to the server (e.g. browser, mobile app, desktop app). Now the user wants to discard two of them (mobile app && desktop app) by one connection/source. The user is logged in by browser connection (one of the valid tokens) and want to see all currently valid tokens/connection, to discard two of them (mobile app && desktop app). But using JWTs, the server doesn't know about the other tokens/connections. Yeah so I can create and update/maintain a list of key-values pairs with [{"tokenName", "validateLifetime"}, ...] inside the user node of my mongodb, but so it's a kind of session again.

Next problem...
The user has also 3 different valid tokens and he likes to change the password. So after doing that, the user have to login in again, because none of the tokens are valid anymore. Maybe for the currently used token it's possible to response the "new" token by server, so the client will overwrite the old and can use the new henceforth, to maintain the current connection. But all other tokens aren't valid after changing the auth-characteristics. Correct?

In terms of security, this certainly makes sense and is correct. But it can be a little awkward for the usability.


Since when @pewdiepie started making tutorials?

Teresa Rosinski

Thank you!!


Awesome explanation of JWT. Great job. Thank you for sharing.

Julio de Leon

How to handle force logout? I want to forcefully logout a user, how can I invalidate it immediately?

Zachary Collier


Yash Tibrewal

Thanks for the vid.

Web Dev Simplified

I just posted an implementation to JWT authentication in Node.js based on popular demand. https://youtu.be/mbsmsi7l3r4

Fri Garcia

Ello I’m new here


Buy how they store the secret in server in database or file ?

Ehi Ehi

Wheres the super like button

Thank you. Brilliant description

Prakhar Vijay

Great video keep it up man

Jisi Rajan

can u show us how we can use JWT in asp.net core web api without EntityFramework.
thank you!

Dmitry Programmer

Thanx! Very useful video

Robin R

why are you talking so fast?

Ferris Osman

too much talking


Hi Kyle, it was a nice, informative video but never assume that someone doesn't know how JWT really works or why he/she needs to use it. Be careful about what you are speaking.


Kyle, you saved my ass for future security hacks. After watching your video, I realised I was using JWT completely wrongly. You are one of the best web dev youtubers. I am your fan now!

dark vader

Very good explanation!!!

Armando Peña Leonett

Oh My god you really generate value content, thnk you buddy

Mohammed Abd El-Baki

I understood why JWT is important & why to use it, but still I don't get how will the server check it back when it's not storing it? What I concluded that when it decodes the JWT back from the client it won't fail if it didn't change right?, but what I don't get is if the token is sent to another server how will it still know it's an authorized user.
Thank you for your amazing effort & content :)

Omar Ashraf

Could I ask what application you used in presentation in minute 3:06 ?
Thanks a lot for the explanation :) <3

adam hack

It is not easy to concentrate on the video when the narrator is so hot and grogeous.

Mecit Sarıgüzel

Awesome explanation!

Ihor Biedin

Awesome explanation!

Incredible Inventions


Ardianto Suhendar

Hi Kyle, great explanation that helped me understand as i'm new to JWT. However i stumbled across an article that also described that its dangerous to use JWT as stateless sessions: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
Just wondering what do you think? Thanks!

Francesco M

Very useful video! Thanks!

Ganesh Babu

After Mosh Hamedani's tutorial, your explanation seems clear to me.. Great post. Keep it up..

Nam pham

How does JWT "unhashes" the user information?

Elahe Dastan

great work

leo aldi

well explained, thankyou

Abhilash R

Super. Thanks for posting this useful information.


Thanks for making this simple and clear guides

Mr. Marcial Glori

it is like md5 can be decoded public in their website jwt; just put the token their and it will give information;


corperate needs to find the diffrence between these images
me: 3:23 they are the same exact picture

Minh Long

Such an amazing explaination, totally cleared the confusion for me.

Matt Healy

what a great video! It doesnt have to be that complicated :)

Md. Dilshadul Islam

thanks bro

Felipe André

Thank you, my friend. Terrif. Congrats!

Adel Mourad

Awesome explaination

Code For Life

Finally today I understood what is actually a JWT, also diff between JWT and Session ID. Thank you so much.

Gagan Deep

Hi there,
There is one thing that is confusing me a lot that is when the server creates the JWT and it is signed and send to the browser but when the user sends the request again with JWT. How does the server know that this user has a correct JWT which is digitally signed by the server? Please help me

shahbaz ezaz

Hi I've a doubt, at the start of the video Kyle says JWT is authorisation related but towards the end he says authentication a few times. Is there anything I am missing here?

nsamba taufeeq

Thank you!

Aravind Appadurai

nice bro, I have been using this JWT for the last 1 year without knowing its security and purpose. thanks for the video.


A good thing to mention here is also security. Because as he said the cookie is automatically send with the HTTP request to the server which makes it easy for an attacker to do a so called CSRF (Cross Site Request Forgery). But JWT needs to be send manually, which is nearly impossible for a attacker to do, because they don't know the JWT.

Олександр Степанюк

Hi, how and where is the JWT storing at user?


Dude, you're a natural teacher. Thx.

Kevin Tam

JWT in this tutorial is all about authentication, not authorization contrary to what was described, because its use here is identifying whether the user is the same user as the one that logged in (just like with sessions). Perhaps the confusion is that JWTs are commonly used for authorization by being created to grant access to APIs so that the API server knows the client is authorized to use the API. Neverthless, JWTs can be used for authentication (as in this tutorial) such as "ID tokens" and also for authorization such as "access tokens". A clear tutorial apart from this!

Peter Aleksander Bizjak

Best explanation of JWT.

Kushal Jain

Great video dude! Just wanted to point out that the service which wants to authorize a user does not need the same private key! Instead, it can use a public key to verify the JWT. For more info refer, https://stackoverflow.com/questions/60538047/jwt-private-public-key-confusion. Hope it helps someone who came here with public/private key JWT confusion like me :)

ilyass zakaria

thank you so much man

Basma Mohamed

Thank you!!!

Badr Bellaj

There is an increasing number of web developers who claim JWTs have some benefits for use as session retention mechanism, instead of session cookies and centralized sessions. This should not be considered as good practice. => http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/

Evan Kohi

so the JWT is also stored by server side otherwise how server know it's exact same ?

Sugesh P

Can we modify the JWT token expiry time for existing token?

Nora Tomas

At 3.56 you say the server creates a signature with "it's own secret key", the secret key sounds like the private key. Should the server not be signing things with its public key and checking them with the private key, or am I misunderstanding something? :)

Ron Sivan

At first you said JWT is used for authorization, not authentication but throughout the video you kept referring to it as an authentication method so I'm kinda confused by that.
Other than that the concept is well explained, good video

Majji Kishore

perfectly done

MaL7 Security, Networking & Programming

Subbed nice description!!!

Subramanian Chenniappan

Thanks bro

João Matos

2021: you're the best 'Web Dev'!!!

Adeoye Adesina

The best and detailed video I have watched so far, thanks.

George Smith

1. Explanation - awesome
2. Sound - awesome
3. Examples - concise and to the point

Wish I could give you 10 thumbs, man :)

chris Athanas

Helpful explanation

Chacha Feng

Very clear explanation. Easy to understand. Good job!!!

Лёля Лёля

Thank you for the explanation!

Edwin Agarwal



what about jwk json web keys, aws api gateway is asking me for this public key?

christopher joseph

this was wonderful


This was beyond awesome

Bhargava V

Wow perfect and clear explanation for JWT. So far the best


if the credential is encrypted and once the token is easily decrypted what is the purpose of the encryption?

Nipoon Patel


Enkhbold Ochirbat

This is great explanation. Thanks man!

David Copenhaver

really very well explained - keep up the great work


super helpful overview, especially appreciated the side by side comparison with session based ID's. thank you!

Peter Aleksander Bizjak

Best explanation.

chetan choudhary

Is there a size limit to payload of JWT?

ramesh khadka


Sujay G

OMG!.... you explained it so simple....... Subscribing!...

Hrishikesh R

should do we need to store the jwt tokens for different user login?


Excellent tutorial - thank you!


Great video! Thank you!

Seun Ore

This is really cool. I am not a developer but as DevOp engineer, I can't run away from this. This is just one of the overlaps between pure development and infra security. This is a great video btw. Thanks


Jesus Christ dude, I can barely believe how clear you made all this mess to me! Thank you so very much!

Saloni Rathi

Very nice video ??

Fayaz Var

You are great.

Arun Kumar

JWT = Json web token = java script object notation web token

Hendrik Hausen

Does having a refresh token to provide acces tokens provide security benefits or is it just for server scalability?


what is stored on the server in case of JWT , the secret key ?

Bassam AlKilani

Very informative, thanks!

Token define

Share on facebook
Share on twitter

What is JWT ? JSON Web Token Explained

197 755 views | 7 Feb. 2018

What is JSON Web Token,

What is JSON Web Token, How JWT is created, Why is JWT used, Where JWT is used, What is JWT Payload, What is JWT Header.

Check https://bitfumes.com For ads free and more advanced courses

(use Coupon code WELCOME60 to get 60% discount)

Learn all these things in this video for having great knowledge about JWT

Get real project courses at https://bitfumes.com/courses

You can donate any amount via Paypal follow this link https://goo.gl/JhWsKC

Join Our Slack Community - https://goo.gl/pqCjZH

--You May Also Like --

Real Time Chat Series - https://goo.gl/ri42FD

Git ans Github series - https://goo.gl/BXyPxf

Blog with Admin panel Series - https://goo.gl/S5JGyt

Laravel Authentication Series: Multi Auth - https://goo.gl/TyCLlX

Vue Beginner To advanced Series - https://goo.gl/1bjdGg

Sublime Text Best Package Series - https://goo.gl/6phTPP

Laravel Ajax Todo Project - https://goo.gl/p2xTPW

Laravel 5.4 Full Beginner Playlist - https://goo.gl/zpKzhM

Laravel 5.3 Hindi Beginner Tutorials - https://goo.gl/Kb3ikd

Full Playlist for the "Laravel 5.3 Hindi Beginner Tutorials" Series: https://www.youtube.com/playlist?list=PLe30vg_FG4OS38IkXcimlq7bI1mzD8wB-

==================FOLLOW ME ==================

Subscribe for New Releases!

Twitter - https://twitter.com/bitfumes

Facebook - https://www.facebook.com/Bitfumes/

Instagram - https://www.instagram.com/bitfumes/

(ask me questions!)

--- QUESTIONS? ---

Leave a comment below and I or someone else can help you.

For quick questions you may also want to ask me on Twitter, I respond almost immediately.

Email me [email protected]

Thanks for all your support!

LARAVEL 5.4 Tutorial | Cara Instal LARAVEL 5,4 dari awal Part 1 | Bitfumes

Laravel 5.4 Tutorial | Come installare laravel 5,4 da zero Parte 1 | Bitfumes


Please watch: "Laravel 5.4 Tutorial | Email From Server (Godaddy) #3 | Part 26 | Bitfumes"



que es api

ما هو أبي

o que é api

Venkatesh Raj

I was expecting insights of jwt, but you kind of repeated what is already there in jwt.io lol..

Manish Yadav

Must watched Videos...I don't know who dislike your video...
Awesome !!! Video

Enrico Bahls

Thx simply short and helpful


Very clear and concise explanation.. Thank you...


I want to build a website application based on laravel framework which integrate ZOOM.US api to establish video calls between members of the website. How is that done with jwt?

Sri Nivas

I am using IBM API Connect. In that how can I check JWT?

Virat Raj


Henry Munoz

Thanks for the explanation . Great Job

Ranjith Suranga

Awesome Explanation.

Akash Deep

Well explained. Best explanation i have ever came across for JWT . Thanks Sir.

Ankita Gupta

Encoding always done in Base64Url or it can also be configured?

Anjali Singh

Thank you for simple and clear explanation.

Cx Rl

Thank you! you explained it very well. New subscriber here

Pradeep Mishra

Useful video..


6:38 clears everything. Secret is with the Server. Client has to send back same JWT.

Seemant Shrivastav

Very nice

Chandni Soni

Great Video.. I am gonna use JWT...

Kajal Mohite

This is the best explanation on JWT I've seen so far!

Robby Singh

This is, to put it simply, a superb video. Thanks for putting everything so clearly, simply and succinctly.

Alek Salazar

Great vid! Lots of valuable info in an easy to understand format

Emmanuel Adebiyi

Nice video. This explanation is superb. Best ever???


9:25 aaaah i get it now, this is the first place I've seen that actually explains why you can't just change the payload and copy and paste the old signature, thanks


Highly informative thanks Author. ????????

Suvarna Suryawanshi

Thanks.very well explained.

Stanley John

How to expire an access token manually even if it has an expiration of 3 months?


Very good illustration. Thank you.

Konstantin Svichkar

What about OIDC with the help of jwt?


awesome (Y)

Rohit Nayak

in the screenshot on jwt.io the secret shows "secret" does that mean your signature secret was actually the word secret? Why does it show "secret" as the keyword, is it just a placeholder for the actual secret used by the token generator which jwt.io is not aware of and hence cannot recreate the signature? If so how does it mean signature verified if the jwt site does not know my actual secret used for the token. Can anyone put in an access token and click signature verified in this site? How does this site verify without knowing the secret?coincidentally if i type something in the secret the access token actually changes in the jwt.io console.

Kesit Kusumo


manu pandu

can u explaine OAuth, OAuth2, Refresh Tokens alos?

Rafał Dydkiem Machał

Indian accent, I’m out ?

Adam Zdrzalka

Excellent video

Nicolò Scarpa

8:07 You refer to the "c" part of a JWT as "the secret", but that is the signature (computed with the secret, by the server).
If the "c" part would be the secret, then client would be able to forge JWT that looks valid (signed) to the server.

Ishimwe patrick

i have been switching from one video to another to find what really JWT means but i get nothing. for now i understand what JWT is, form the bottom of my heart thank you very much

Jal Panchal

This was really helpful. Thanks a lot :)

Telu Talks

JWT and cookie are same?

sai ram



Can you tell me how to use JWT in SAP

Axel Blaze

I think I will use it

Web Maker

really good.....but you must discuss on a real-time example

Aress Schoolblock

Thanks, the video explained conpcets really well. Could you please provide information on jwt token expiration

Smitha Rajan

thank you so much for the video.

Wendy Crawford

Not able to follow due to the thick accent..smh.

Bashar Dlaleh

You are the best, thanks

Zen Ventzi

Came here for the Indian accent, stayed for the good content.

Devron Tombacco

Thanks a lot for this video. Very well explained

Muthaiah Palaniappan

Thanks for the video. But how can we refresh the access token when JWT is expired?

Vishwanath Krishna

Nice explained. If possible, please include some real time sample examples. Thank you

Subrata Sarkar

where does the JWT value get stored in Server side? What is the mechanism for that.

Because one of the important aspects of avoiding traditional authentication (user/pwd) was not to hit the server with query.

Jibandeep Bal

I didn't understand why the signature became invalid when we switched base64 encoded data of the payload. How did JWT concluded that the token has been tampered with?

jung ae Kim

Thank you for your content!!~~

Augmented Cheesus

Your accent is an abomination to English, one does not simply say V instead of W, wtf mate?


You taught amazing !! You have explained so well.. wow !!
Keep making videos like this. I have subscribed just now!

Normally Distributed

I was left at my table wondering how we know the payload was not messed with! You explained it concisely and the rest of the video is just as amazing. Thanks so much for the overview. Liked!

Alam Khan

very bad way of explanation ????????


Put in mind that JWT is encoded in base64url, not base64. this makes difference in 2 characters from code space, but surely can make nasty bugs if you implement this on your own.

Ibad Shaikh

Finally got it..

Javed Ameen Shaikh

What happens when there is a man in the middle and he gets the authenticated JWT token which I assuming will be valid for the next few mins? He can use this token to impersonate an authenticated user and do really nasty stuff. How do JWT address this issue?

Anthony Rivera

Excellent Resource now I have a clear understanding of JWT!

Mahmoud Benjabir

Thank you so much, can anyone explains how the server authenticate this token ? Is it saved on database or what ? if it's on database and every request should make a query, why don't I save user credentials instead of token ? what's the difference ?

Vishal Srivastava

sarthak u r simply great, you explain things very clearly, great teacher.

Mohammad Haidar

Great Video, Thanks.

Sand Of Vega

Thank You

Nilanjan Dutta

awesome explanation..such a fantastic way you explained the JWT elephant

Virat Raj

The best . What an explanation..beyond my words. Kudos. Sir, do you offer any training or have ant videos on Udemy

biswabhusan pati

Well Explained Sir .. keep up the good work .. Best wishes

Ishan Soni

For a much better and detailed understanding, see this talk : https://youtu.be/67mezK3NzpU

Sudheer Kumar Kandala

I need an example of JWT in PHP API in localhost

Yashwant Kerkar

An oauth security token is jwt token..?

Guillermo Pages

Haha you killed me with the closing: "so we have a healthy discussion on the JWT". So corporate :D. Amazing explanation, thank you very much


more davlaping

Prafulla Raichurkar

Thanks, this video is awesome!

Kenji Hikmatullah


Avinash Kumar

Explained well. So, only for the first request JWT is created. For the 2nd request, Is the JWT value cached ?

albo poker

so if the header stays the same for all users..1 can easily identify d algo u r using....and may decrypt it....so my question is do they salt d string or is it just left same for all....or should i be asking even if the person knws d algo and typ would he be able to access the users payload??

Selwyn Fernandes

Thank you for the excellent explanation


You explained it very well, thank you.

Mohammad Haidar

Thank you so much bro, this is an amazing video.


What is not very clear for me is who does determine secret in scenario at 7:02
Is it Client who creates and supplies a secret together with credentials to Server? If so how does server know which secret did Client provide? Is it the same hard-coded secret for each and every Client, already known by Server beforehand? If there are different secrets - there must be an infrastructure to share that secret between Client and Server.
If it is Server which specifies secret to be used by Client (after successful authentication) - how does Server provide this secret - is it an unencoded string supplied in response to Client together with JWT?

Praneeth Byna

helpful for beginners.thank you


Hello there! Thanks a lot for your good explaination (+1 sub bro ;) )

Your powerpoint looks very nice, can you share my your theme name if you didn't make it by your own please? thx! :)

hatim johar

nice explaination

Saransh Bansal

very clearly explained. great job.

Elshan Akberov

yet another bad explanation

Abhishek Barnawal

Where the secret key actually store? Is app developer decide what secret key used to encrypt signature?

Dinesh kumar

Can we create refresh token using JWT?

Eric M

Thank you for the video. I hope you win the lottery.


Thanks, very well explained.


if you're working with jwt on the web is it safer to store the jwt as a cookie or in local storage ?

sai ram

How RSA256 algorithm works with JWT ?

Vijay K Rai

Hi Sarthak, one correction needed here...JWT is used for Authorization only and not Authentication as you mentioned. The first time user gets authentication (by providing username and password), JWT is not at all involved. Only after the successful authentication, JWT token creation takes place and that token is passed back to the user.

KK Mahapatra

if you can put a written tutorial on this tutorial it will be grate and more educational and effective.Thanks

Abdul gelani

Good explanation.thank u

Swapnil Bole

Nice article.
What is value of secret in signature.

Rajesh Samson

Nice video. I have couple of questions
1. Is the signature generated by the server itself? So, every time the client makes a request the server verifies the provided signature.
2. What is the secret used in the JWT is it the client secret?

Pratik Rane

It was worth watching. Thank you for the quality content!


LOL this is my Xbox GT

John Ty

Well explained, thx.

The Cynical Swede

The problem with storing lots of information in the JWT token as some suggest is that when someone else updates the users information, like user rights etc, you have to invalidate the JWT. This means that you will either have to kick out the user if you make any changes to the user status that affects the JWT or let him stay with incorrect information till he himself logs out and back in. Or you will have to build some complicated way to handle that case. This had lead me to just use JWT for just storing expire times and user id. Everything else just makes it complicated to handle.

Token define

Share on facebook
Share on twitter

Azure Active Directory Token Type | id_token | Access Token | Refresh_Token

7 861 views | 23 May. 2020


#AzureActiveDirectory #AzureADTokenType #AuthenticationToken #TokenType #Token

Azure Active Directory Authentication Token


Access Token

Refresh Token

Microsoft Article - https://docs.microsoft.com/en-us/azure/active-directory/develop/developer-glossary

How to use Postman to request token?


The below mentioned script will help you to request a new access token and refresh token with the help of current refresh token which you have captured from postman.

Also make sure you have replaced the value of clientid and client secret with your directory application.

From permission prespective make sure you have granted the application the permission to access user data from the api permission section of the application object in Azure AD.

How application works in Azure AD ?




Write-Host "Script to request new access token and refresh token from refresh token"

$tenant = Read-Host ('Enter your Tenant Name')

Write-Host Tenant name you entered is $tenant

Write-Host "Enter the value you have copied from postman"

$refresh_token = Read-Host ('Enter your refresh token')

$Openid = Invoke-RestMethod -uri "https://login.microsoftonline.com/$tenant/v2.0/.well-known/openid-configuration"

$authendpoint = $Openid.authorization_endpoint

$tokenendpoint = $Openid.token_endpoint

Write-Host Authorize endpoint of your tenant is


Write-Host Token endpoint of your tenant is


$Body = @{

client_id = "9a21d7a5-a500-4ee9-8ea27325c24"

client_secret = "TrHSZaO53-wwNV__Ff"

redirect_uri = "https://localhost"

grant_type = "refresh_token"

scope= "https://graph.microsoft.com/.default"

tenant = "$tenant"

refresh_token = $refresh_token


$token = Invoke-RestMethod -uri $tokenendpoint -Body $Body -Method Post






Dhiraj Poojary

Great Video I want small help is it possible to add the payload in refresh token also like expiration time and all?

Maximiliano Anfuso

Hello, if i want to write an app that retrieves new mail in a mailbox without user interactions will application only token work in this case ?

Sheshanath Kumar

Great explanation sir..

Rohit Shukla

hello sir ,
can u please guide me i have MFA implemented and with that how can we use lifetime access token. please reply me .

raman lodhi

Hello Sir, please make a video on Exchange Hybrid mail flow

iam dd

Please upload the scripts..

achint kishore

Is this token can be compromised? I know it is Base64 encoded. However, can it still be tampered if it travels down the wire? Is there any other security provisioned for this token on top of Base64 or Base64 is enough?

Sandesh Kadam

what is the liftime of these tokens?

Akhilesh Sharma

You are great bro


Can you demo how to configure Azure AD tokens with Nginx. Would be helpful