jwt is primarily used in microservice architectures where the final client request will be processed by one of several servers.
Classically, this architecture used OAuth mechanisms. which, when servicing each client request, made a request to the OAuth server - "a client with an AAA token requests a BBB action"
It is clear that the bottleneck is the OAuth server - which must withstand the "storm" of requests under load. The second bottleneck of this architecture is the increase in the response time to the request - at least 1 authorization request will be executed within the request.
If we are talking about a "classic" monolith, then for example, the use of old cookies requires the server to keep in memory all open user sessions - also a big load on the authorization service.
JWT solves these problems in the following way: the access token immediately contains the necessary information: for example, about the Roles of the current user, or about the actions available to him, in addition, it provides information about the lifetime of this token. A digital signature is required at the end of the token. It actually checks the "validity" of the token.
The algorithm is simple:
1. Authorize - get a response 2 access, refresh tokens.
2. We access microservices using an access token.
3. if necessary, update the access token using the refresh token.
4. when the refresh token has also expired, we re-authorize.
Where to store the JWT token - anywhere. it all depends on the tools and implementation. For example, you can implement storing the token in LocalStorage, and forwarding it during each request in the form of a header. If the same domain - then the token can be stored in a cookie, etc.
What to store as a payload? The developer himself must decide for himself how much information to publish in such a token, in addition, it should be borne in mind that information from the token can be read - it's just a base64 encoded JSON string...