Security also: JSON Web Token

JWT

Self-contained signed (or encrypted) token: header.payload.signature.

In plain terms

Ubiquitous in OAuth and OIDC. Verify offline; revoke through context (short TTL + refresh rotation).

Origin

RFC 7519, published in 2015. Built on RFC 7515 (JWS — signed) and RFC 7516 (JWE — encrypted). Mike Jones and Joe Hildebrand led the spec at the IETF. JWT became the default OAuth 2.0 token format almost immediately.

Where it shows up in production

Auth0, Okta, Cognito Issue JWTs as access and ID tokens; every modern OIDC provider does the same.
Kubernetes ServiceAccount tokens Projected-volume tokens are JWTs signed by the kube-apiserver.
Google service-account auth You sign a JWT with your private key and exchange it for a Google access token.

On Semicolony

Guide oauth Simulator jwt lifecycle

Sources & further reading

RFC RFC 7519 — JSON Web Token
Docs jwt.io — interactive debugger
Docs OWASP — JWT cheat sheet
Docs JWT lifecycle simulator (Semicolony)

Found this useful?