Bảo MậtJWT stateless auth dùng signed token thay vì server-side session — không cần DB lookup mỗi request.
- Login: verify credentials → tạo JWT (sign với secret) → gửi token cho client.
- Request: client gửi token trong Authorization header (Bearer token).
- Server: middleware verify token, extract user info, attach vào req.user.
- Lưu trữ: access token → memory (JS variable), refresh token → httpOnly cookie. KHÔNG lưu localStorage (XSS risk).
Refresh token cho long-lived sessions.