How is JWT stateless?
The server does not store sessions. The token carries all the info (userId, role, expiry) and is signed so it cannot be tampered with. The server verifies the signature and expiry on each request, without looking up a session.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in How JWT Works in Node.js: Step by Step
On login, sign a token with jwt.sign({ userId }, secret, { expiresIn }). Store in an httpOnly cookie. On each request, verify with jwt.verify(token, secret) in an auth middleware. Set req.user from the payload. Logout clears the cookie. The server is stateless; no session store needed.
header.payload.signature. Header is base64url-encoded JSON with the algorithm. Payload is base64url-encoded JSON with claims (userId, role, exp). Signature is HMAC of header.payload using your secret, proving the token was not tampered with.
In an httpOnly, secure, sameSite cookie for web apps. The browser sends it automatically. In secure storage (Keychain, Keystore) for mobile. Do not use LocalStorage (open to XSS).
Still have questions?
Browse all our FAQs or reach out to our support team
