A
JWT is a compact, self-contained token encoding user claims (identity, roles) and signed by the server. Three parts: header.payload.signature (Base64 encoded).
JWT signature verifies integrity — a tampered JWT won't validate. Stored in localStorage (XSS risk) or HttpOnly cookies (CSRF risk). Algorithm confusion attack: changing "RS256" to "none" — always validate the algorithm.