SaaS & Engineering

JWT (JSON Web Token)

Compact, self-contained way to securely transmit information between parties as a JSON object — used widely in SaaS authentication.

JWT is a Base64-encoded JSON with three parts: header (algorithm), payload (user info, expiry, etc.), and signature (HMAC or RSA). Anyone can decode the payload (it's not encrypted), but only the issuer can sign it.

Use case: user logs in → server issues JWT with user ID + permissions + expiry → client sends JWT on every API call → server verifies signature without DB lookup.

For Indian SaaS, JWT enables stateless authentication — no session storage needed. Trade-off: revoking a JWT before expiry is hard (no central session). Solutions: short-lived JWT + refresh tokens, or revocation lists.

India context

Indian SaaS adopting JWT must understand: payload is readable (don't put secrets), signature must be verified (else trivially forgeable), and expiry should be short (1-hour access, 30-day refresh).

Examples

  • Doggu issues a 1-hour JWT on login. Mobile app sends it on every request. Server verifies signature, extracts user ID, processes.
  • Refresh token is 30-day. When access JWT expires, app uses refresh token to get a new pair.

FAQ

Is JWT encrypted?

By default, no — JWT is signed but not encrypted. Anyone can read the payload. Don't put secrets in JWT. For encrypted JWT, use JWE (JSON Web Encryption).

Are JWTs better than session cookies?

Trade-offs. JWT: stateless, scalable, no DB lookup on each request. Session cookies: easy to revoke, server controls. Both have valid use cases.

How do I revoke a JWT?

Hard — that's the trade-off. Solutions: short-lived JWT + refresh token + token blacklist. Or rotate signing key (invalidates all JWTs).

Related concepts

OAuthAPIsessionHMACAPI key

Doggu handles JWT (JSON Web Token) compliance for you.

Whether it's automating the workflow above, Doggu was built specifically for the Indian SMB regulatory environment. One platform, all the requirements.

Try Doggu free for 14 days

Related glossary entries

WhatsApp Cloud APIMeta-hosted, direct API access to WhatsApp Business — alternative to using a BSP.API (Application Programming Interface)Standard way for one application to communicate with another — the foundation of modern SaaS integrations.OAuth 2.0Industry-standard protocol for delegated access — lets users grant apps limited access to their data without sharing passwords.

More in SaaS & Engineering

API (Application Programming Interface)WebhookOAuth 2.0SDK (Software Development Kit)Shopify (India)
← All glossary entriesBlogWhatsApp TemplatesFree tools