How JWT works
When a user successfully signs in using their credentials,
the server side generates a JWT signed with a secret key and a unique user detail.
Then, this token is returned to the requesting client
to be saved locally either in localStorage, sessionStorage, or a cookie in the browser,
essentially handing over the responsibility of maintaining user state to the client side.
For HTTP requests made following a successful sign-in,
especially requests for API endpoints that are protected and have restricted access,
the client side has to attach this token to the request.
More specifically, the JSON Web Token must be included in the request Authorization header as a Bearer:
Authorization: Bearer <JSON Web Token>
When the server receives a request for a protected API endpoint,
it checks the Authorization header of the request for a valid JWT,
then verifies the signature to identify the sender and ensures the request data was not corrupted.
If the token is valid, the requesting client is given access to the associated operation or resource,
otherwise an authorization error is returned.
When a user signs in (e.g. with email and password) the backend will generate a signed JWT
with the user’s ID and with a secret key available only on the server.
This token will then be required for verification when a user tries to access any protected data
(e.g., view any user profiles, update their account details, or delete their user account).
Resources: Full Stack React Projects by Shama Hoque