Q1. What is JWT and how does it work?
JWT (JSON Web Token) is a compact, URL-safe token that represents claims between parties. It consists of header, payload, and signature. The server signs the token and sends it to client. Client sends it in Authorization header for subsequent requests. The server verifies the signature.
Q2. How do you implement JWT in Express?
Install jsonwebtoken. On login, create token: const token = jwt.sign({ userId: user.id }, process.env.JWT_SECRET, { expiresIn: '1h' }). Send token to client. In protected routes, verify token from headers: jwt.verify(token, JWT_SECRET).
Q3. Where should you store JWT on the client?
Common options: localStorage (vulnerable to XSS), cookies with httpOnly (more secure, protects against XSS), or memory (lost on refresh). HttpOnly cookies are recommended because JavaScript can't access them, preventing XSS token theft.
Q4. What is the difference between JWT and session-based auth?
Sessions store data on server; JWT stores claims in token (stateless). JWT scales better (no server memory), but can't be invalidated easily (until expiry). Sessions can be invalidated immediately, but require server-side storage or shared session store.
Q5. How do you handle token expiration and refresh?
Use short-lived access tokens (e.g., 15 min) and longer-lived refresh tokens stored securely. When access token expires, client sends refresh token to a /refresh endpoint to get a new access token. Refresh tokens can be revoked if needed.