JWT in PHP API (Protect Routes with Authorization)

JWT (JSON Web Token) is commonly used for API authentication.

How it works (simple)

flowchart LR
  A[Login] --> B[Server issues JWT]
  B --> C[Client stores token]
  C --> D[Client sends Authorization Bearer token]
  D --> E[Server validates token]

Where people go wrong

• storing JWT in localStorage without considering XSS
• never expiring tokens
• accepting unsigned/invalid tokens

Recommended approach (general)

• short-lived access tokens
• refresh tokens in httpOnly cookies (if possible)
• validate signature and expiry on server

Implementation depends on your JWT library and security needs, but the architecture stays the same.

Next: Rate limiting and basic API protection patterns.