English
  • oauth
  • jwt

JWT vs OAuth: Key differences, how they work together, and best practices

A quick guide explaining how JWT and OAuth differ, how they complement each other, and best practices for using both effectively.

Guamian
Guamian
Product & Design

Stop wasting weeks on user auth
Launch secure apps faster with Logto. Integrate user auth in minutes, and focus on your core product.
Get started
Product screenshot

If you’re new to authentication and building an app that handles logins, payments, or user data, you’ve probably come across the terms JWT and OAuth. They might sound like complex, “backend-only” topics, but they’re not just for security engineers.

With APIs, third-party integrations, and emerging technologies like AI, MCP, and agent-based systems, these two play a direct role in your product’s usability, security, and growth. Understanding the basics means you can:

  • Design features that are secure from the start
  • Communicate effectively with your engineering team
  • Make better product decisions about authentication and user flows
  • Avoid costly security mistakes that damage user trust

For example, in the latest MCP spec, the authorization system is built on proven standards:

Why this matters

Even if you never write backend code:

  • Developers learn how to secure APIs, manage sessions, and integrate with third-party services.
  • Product managers gain the vocabulary to discuss login flows, integrations, and compliance with teams and partners.
  • Founders and early-stage teams avoid building fragile login systems that break with integrations or leave you open to breaches.

JWT vs OAuth: The two core concepts

JWT (JSON Web Token) and OAuth (Open Authorization) are often used together, but they serve different purposes.

Think of it like this:

  • OAuth is how you give someone the keys, but only to the rooms they’re allowed to enter.
  • JWT is the ID card they carry, proof of who they are and what they can do.

In the next section, we’ll break them down side-by-side so you can clearly see the differences and how they complement each other.

What is OAuth 2.0?

OAuth 2.0 is a widely adopted authorization framework that enables an application (the client) to access a user’s resources with limited permissions, without needing to share the user’s credentials (like passwords) .

Core roles in OAuth

  • Client: The application requesting access.
  • Resource owner: Usually the user, granting permission.
  • Authorization server: Issues access tokens after authorization.
  • Resource server: Hosts the protected resources and validates tokens

Common OAuth grant types (Flows)

  • Authorization Code Grant: Most secure and recommended, especially with PKCE for browser, SPA, and mobile apps.
  • Implicit Grant: Now discouraged in OAuth 2.1 for security reasons.
  • Resource Owner Password Credentials (ROPC): Directly exchanges username and password for tokens; less secure.
  • Client Credentials Grant: For server-to-server or machine-to-machine communication.
  • Device Flow: For devices without keyboards (e.g., smart TVs), where users authorize from a second device.

What is JWT (JSON Web Token)?

A JWT is an open standard (RFC 7519) for securely transmitting claims between two parties in a compact, URL-safe way.

Structure of a JWT

A JWT consists of three base64url-encoded parts, separated by dots (.):

  1. Header: Specifies the algorithm (e.g., HS256, RS256) and token type (JWT).
  2. Payload: Contains claims, such as:
    • iss (issuer)
    • sub (subject, e.g., user ID)
    • aud (audience)
    • exp (expiration time)
    • Custom claims as needed
  3. Signature – Verifies that the token hasn’t been tampered with.

Example:

A JWT example

Here’s an example of a typical JWT in its encoded form, along with its decoded structure so you can see what each part represents.

Encoded JWT (Base64URL)

This is made of three parts separated by dots: header.payload.signature

Decoded Structure

  • Header
  • Payload

The payload contains claims

  • Signature

The signature ensures the token hasn’t been tampered with.

Key characteristics

  • Self-contained: All required information is inside the token.
  • Stateless: No server-side session storage needed.
  • Signed: (and optionally encrypted) to ensure authenticity.

JWT vs OAuth: Core differences

AspectJWTOAuth 2.0
DefinitionToken formatAuthorization framework
PurposeSecurely carry identity/claimsDefine how to grant and manage access
ScopeData representationProcess and flows
Works Alone?Yes, for in-house token handlingNo, needs a token format (e.g., JWT)
Example UseAPI issues JWT to clients directlyApp gets an access token via OAuth flow

In short:

  • JWT is the container: like a passport with identity details.
  • OAuth is the system: like immigration control, deciding who gets the passport and what they can access.

When to use JWT alone

Use JWT by itself when:

  • Single-system authentication where your app issues and verifies tokens without involving an external identity provider.
  • Stateless session management to validate user identity without storing session data on the server.
  • Simple API authentication for internal APIs that only need to verify basic access rights without complex consent flows.
  • Performance-focused validation so resource servers can validate tokens locally without contacting an auth server.

Example:

A single-page app and backend API you own. The API issues a JWT containing sub (user ID), role, and exp (expiry) claims.

When to use OAuth alone

Use OAuth without JWT when:

  • You do not need self-contained tokens, and opaque tokens that require lookup are acceptable.
  • You want the resource server to always check with the authorization server before granting access.
  • You are in a legacy or regulated environment where JWT is not suitable.
  • The goal is delegated authorization for securely granting limited access to third-party apps.

Example:

An API that issues opaque access tokens and validates each request by querying the authorization server.

When to use both JWT and OAuth

Use them together when:

  • You have multiple services or APIs and want OAuth for the secure flow plus JWT for verifiable tokens across services.
  • You provide third-party login such as “Sign in with Google” where OAuth handles consent and JWT carries the access or ID token.
  • You run a microservices architecture where each service can validate JWTs locally.
  • You need scalability with OAuth’s delegation model and JWT’s stateless verification.

Example:

Your app lets users log in with Google. OAuth manages the authorization process, Google issues a JWT access token, and your APIs verify it locally before returning data.

How JWT and OAuth work together

In modern authentication/authorization setups:

  1. OAuth handles the flow for granting access.
  2. The Authorization Server issues an access token: often a JWT.
  3. The JWT is sent with API requests to prove identity and permissions.

Special tokens in OAuth

  • ID token: Used in OpenID Connect to prove a user’s identity; always a JWT.
  • Access token: Can be a JWT or opaque token.

Best practices of using JWTs and OAuth

  • Use HTTPS to protect tokens in transit.
  • Set short expiration times for JWTs; use refresh tokens for longer sessions.
  • Validate the signature before trusting any claims.
  • Check the aud claim to ensure the token is meant for your app.
  • Avoid storing tokens in localStorage if XSS is a risk; prefer secure cookies.

Final thoughts

  • OAuth 2.0 defines how to get and use tokens.
  • JWT defines what the token looks like and how it carries information.
  • They are complementary, not interchangeable.

Most modern APIs use OAuth for authorization flows and JWT for token representation. Understanding both will help you design secure, scalable authentication systems.

Try Logto Cloud for free