JWT in PHP API (Protect Routes with Authorization)

JWT (JSON Web Token) is commonly used for API authentication. ## How it works (simple) ```mermaid flowchart LR A[Login] --> B[Server issues JWT] B --> C[Client stores token] C --> D[Client sends Authorization Bearer token] D --> E[Server validates token] ``` ## Where people go wrong - storing JWT in localStorage without considering XSS - never expiring tokens - accepting unsigned/invalid tokens ## Recommended approach (general) - short-lived access tokens - refresh tokens in httpOnly cookies (if possible) - validate signature and expiry on server Implementation depends on your JWT library and security needs, but the architecture stays the same. > Next: Rate limiting and basic API protection patterns.