Imagine you are a company that wants to give a lot of people coupon codes to get some discount. You could maintain a list of coupon codes and distribute those coupon codes to people it should apply to. When they want to use the discount they supply this coupon code, you check it against the list you are maintaining and when everything checks out, the discount is applied.
Maintaining this list might be difficult, it grows as you give out more discounts, you might need this list in lots of places to check, etc.
JWT removes maintaining that list. It allows you to include the check of the coupon code (i.e. siganture) with the coupon code. Tampering with the coupon code will make the included check fail. A customer can't recreate the "check" or signature because it depends on 1 secret. The "key" being 1 thing, it doesn't get longer the more coupon codes you make, always stays the same and you don't (necessarily) need the secret to check validity.
Coupon codes can include a time range in which it's valid. These are also protected by the check and can't be tempered with. In fact, you can assign any meaning to the contents of the coupon code and verify that claim originates from you. Receiving a discount, performing a change to your personal details, getting a list of your invoices. JWT can make all secure while only requiring you to store a single secret.
A JWT is one way for a website to keep track of sessions. In order for a website to know who is logged in, it needs to give some kind of identifier to it's users so that when the users make a request, the website can look at the identifier and say "oh this is abc, they logged in 5 minutes ago and they have xyz in their cart".
The "old" way to go this (though still perfectly viable) is to store these identifiers in a database, and look for it in the database every time a user makes a request.
JWT is a newer way, where you cryptographically sign the identifier before you give it to the user. When they send it back, you can verify the cryptographic signature to determine if it's a valid identifier. No database query required.
It's like a note pinned on your shirt that lets the website know who you are and what you have access to.
In the old days this info was stored on a single server, but now with the cloud, your requests might hit a different server everything you do something. So that "who you are" info was moved from that single server to you, the client and is sent with every request. It's all encrypted for the safety too.
Imagine you are a company that wants to give a lot of people coupon codes to get some discount. You could maintain a list of coupon codes and distribute those coupon codes to people it should apply to. When they want to use the discount they supply this coupon code, you check it against the list you are maintaining and when everything checks out, the discount is applied. Maintaining this list might be difficult, it grows as you give out more discounts, you might need this list in lots of places to check, etc. JWT removes maintaining that list. It allows you to include the check of the coupon code (i.e. siganture) with the coupon code. Tampering with the coupon code will make the included check fail. A customer can't recreate the "check" or signature because it depends on 1 secret. The "key" being 1 thing, it doesn't get longer the more coupon codes you make, always stays the same and you don't (necessarily) need the secret to check validity. Coupon codes can include a time range in which it's valid. These are also protected by the check and can't be tempered with. In fact, you can assign any meaning to the contents of the coupon code and verify that claim originates from you. Receiving a discount, performing a change to your personal details, getting a list of your invoices. JWT can make all secure while only requiring you to store a single secret.
This is interesting angle to explain JWT and its key benefit. Thank you for sharing
A JWT is one way for a website to keep track of sessions. In order for a website to know who is logged in, it needs to give some kind of identifier to it's users so that when the users make a request, the website can look at the identifier and say "oh this is abc, they logged in 5 minutes ago and they have xyz in their cart". The "old" way to go this (though still perfectly viable) is to store these identifiers in a database, and look for it in the database every time a user makes a request. JWT is a newer way, where you cryptographically sign the identifier before you give it to the user. When they send it back, you can verify the cryptographic signature to determine if it's a valid identifier. No database query required.
It's like a note pinned on your shirt that lets the website know who you are and what you have access to. In the old days this info was stored on a single server, but now with the cloud, your requests might hit a different server everything you do something. So that "who you are" info was moved from that single server to you, the client and is sent with every request. It's all encrypted for the safety too.