Which statement about JSON Web Tokens (JWTs) is true?

• A. They require a server-side session store to validate requests.
• B. They replace TLS for transport security.
• C. They encode user identity and permissions directly into a signed payload, allowing services to verify them without a database lookup.
• D. They are encrypted by default, ensuring payload secrecy.

Answer: (C)

JWTs are tokens that carry identity information and permissions inside a self-contained, signed payload. The signature protects the token from tampering, and because the token is signed, a service can verify its validity and trust the embedded claims without hitting a database on every request. This enables stateless authentication: once a token is issued, downstream services can make authorization decisions based on the token’s claims (such as user identity and roles) without a database lookup, as long as the token is valid and not expired. Remember that the token is not encrypted by default—the payload can be read by anyone who has the token—so avoid placing secret data in it unless you use encryption (JWE) or rely on TLS to protect data in transit. TLS remains responsible for securing the transport channel, not for the token’s integrity or confidentiality. Server-side session storage is not required for typical JWT-based workflows.