Signing and Verifying JWTs with python-jose

A JWT (JSON Web Token) is a compact, signed token that carries claims about a user. Once your FastAPI app issues a JWT at login, the client sends it back on every request, and you verify it without touching a session store.

• Stateless — the server doesn't store sessions; the signature proves authenticity.
• Tamper-evident — any change to the payload invalidates the signature.
• Portable — the same token works across services that share the secret or public key.

In this lesson we use python-jose to encode (sign) and decode (verify) tokens with claims, expiry, and audience validation.

A JWT has three Base64URL parts joined by dots: header.payload.signature.

• Header — algorithm and token type, e.g. {"alg": "HS256", "typ": "JWT"}.
• Payload — the claims (data) such as sub, exp, aud.
• Signature — keyed hash of header + payload, proving the token wasn't altered.

Standard (registered) claims you'll use most: sub (subject/user id), exp (expiry), iat (issued at), aud (audience), iss (issuer). The payload is only encoded, not encrypted, so never put secrets like passwords inside it.