𝗪𝗵𝘆 𝗝𝗪𝗧 𝗘𝘅𝗶𝘀𝘁𝘀: 𝗧𝗵𝗲 𝗥𝗲𝗮𝗹 𝗡𝘂𝗺𝗯𝗲𝗿𝘀
I used JWT in every project. I knew the syntax. I did not know why it exists.
I stopped watching tutorials. I measured the time for common tasks:
- JWT signing: 5ms
- MongoDB query: 50ms
- Bcrypt hash: 100ms
These numbers tell the whole story.
Most old apps used sessions. The server stores a session ID in a database. Your browser sends this ID with every request. The server checks the database every time. This takes 50ms per request.
Consider 10,000 users. Your server makes 10,000 database calls per second. The database becomes a bottleneck. Your system slows down.
You might think about using bcrypt for every request. Bcrypt takes 100ms. It is slow to stop hackers. Using it every request crashes your server.
JWT solves this. A JWT has three parts: a header, a payload, and a signature. The server does not use a database. It uses math to check the signature. This takes 5ms. No network calls. No disk reads.
Be careful. The payload is not secret. Anyone reads the data. Do not put passwords in a JWT.
But the payload is tamper-proof. If a user changes their role to admin, the signature fails. The server detects the change.
JWTs have one weakness. Revocation is hard. Deletion is impossible.
Engineers fix this with:
- Short expiry times
- Refresh tokens
- Redis blacklists
Knowing how to use a tool is not enough. Understanding why it exists is engineering. The numbers prove it.