JSON Web Tokens JWT Structure A JWT has three parts separated by dots: header, payload, and signature. The header holds the algorithm and token type. The payload holds the user data. The signature verifies that the token has not been tampered with. Nothing in the payload is encrypted. It is base64 encoded, which means anyone can decode it. Never put sensitive information like passwords or card numbers in a JWT. Signing and Verifying jwt.sign takes a payload, a secret, and options like expiry. It returns a token string. jwt.verify takes the token and the same secret. If the token is valid and unexpired, it returns the decoded payload. If not, it throws either JsonWebTokenError or TokenExpiredError, and you handle each differently. Token Expiry Short-lived access tokens and long-lived refresh tokens work together. The access token expires quickly, usually in 15 minutes. The refresh token lives longer, usually 7 days, and is used to issue a new access token without asking the user to log in again.…