If you are doing food business and you’ve built an app that delivers food to users at their location. They sign into your app, and your app gets their identity. You store their address and order preferences in a database on your server.
If your food delivery server is not protected with some authentication mechanism, attackers could read and write to your user database by simply guessing the email addresses of your users. An attacker could submit a fake request to your server with an email address.
This isn’t just a bad user experience, it’s a risk that customer data can be stolen and misused. So, you need to authenticate user. Right? Do you want to setup your own authentication server? Or you want to use world class authentication service provided by other company? If you are not security expert, you may want to use this world class service (otherwise your website may get hacked even without your knowledge). Google authentication is one such service. Now tell me, how you will communicate with google authentication server? JWT helps this regard.
JSON Web Token (JWT, pronounced /dʒɒt/[1]) is a JSON-based open standard (RFC 7519) for creating access tokens that assert some number of claims. For example, a server could generate a token that has the claim "logged in as admin" and provide that to a client. The client could then use that token to prove that it is logged in as admin. The tokens are signed by the server's key, so the client and server are both able to verify that the token is legitimate. The tokens are designed to be compact , URL-safe and usable especially in web browser single sign-on (SSO) context. JWT claims can be typically used to pass identity of authenticated users between an identity provider and a service provider, or any other type of claims as required by business processes. The tokens can also be authenticated and encrypted.
This is a stateless authentication mechanism as the user state is never saved in server memory. The server's protected routes will check for a valid JWT in the Authorisation header, and if it's present, the user will be allowed to access protected resources. As JWTs are self-contained, all the necessary information is there, reducing the need to query the database multiple times.
The service receiving the token does not need to return to the server, that issues authentication in order to verify its validity or get information about the user. The scalability of a system using JWT tokens increases significantly.
https://en.wikipedia.org/wiki/JSON_Web_Token
https://expertise.jetruby.com/json-web-token-authentication/
http://blog.apcelent.com/json-web-token-tutorial-with-example-in-python.html