credentials ▸ Server verifies credentials and returns a signed token (the JWT) ▸ Token is stored client-side! (e.g. local storage) ▸ Subsequent requests to server include the token, generally as Authorization header ▸ Server decodes the JWT, if valid, proceed with request, no memory lookups necessary ▸ On logout, JWT is destroyed client-side