A JSON Web Token (JWT, RFC 7519, often pronounced "jot") is a compact, URL-safe token format consisting of three Base64url-encoded segments separated by dots: a header (algorithm + type), a payload (a JSON object of claims), and a cryptographic signature. The signature lets the recipient verify integrity and origin without calling back to the issuer, which is why JWTs are the default access-token format in OAuth 2.0 and OpenID Connect. JWTs can be signed with a shared secret (HMAC) or an asymmetric key (RSA / ECDSA), and the standard claim set covers issuer, audience, expiration, and subject.

In a self-hosting context

Almost every modern self-hostable application that exposes an API issues JWTs internally. Keycloak and Authentik both mint OIDC-shaped JWTs by default. The common pitfall when self-hosting is leaving the default short-lived signing key in place — rotate the key, set a sensible "exp" claim, and verify the "alg" header on the receiving end (the classic "alg: none" attack).