JWT (JSON Web Token)

JWTs are one of the most common mechanisms for maintaining user sessions in modern web applications. After a user logs in, the server creates a JWT containing the user's identity information and signs it with a secret key. The client stores this token and includes it with subsequent requests, allowing the server to verify the user's identity without maintaining session state.

The stateless nature of JWTs makes them popular for vibecoded applications because they simplify the backend architecture. However, JWTs come with security considerations that AI-generated code often mishandles. Common issues include tokens that never expire, secrets that are too short or hardcoded, missing signature verification, and tokens that contain too much sensitive information.

From a testing perspective, JWT-related issues often manifest as authentication anomalies. Users might stay logged in forever, sessions might not properly terminate on logout, or users might be able to access resources after their permissions have been revoked. These behaviors are important to test because they have direct security implications.