Learn JWT claims, signing algorithms, OAuth 2.0 grant types, PKCE, and token lifecycle vocabulary.
0 / 5 completed
1 / 5
A JWT (JSON Web Token) consists of three parts:
A JWT is header.payload.signature — each part is Base64URL encoded. The header identifies the algorithm; the payload contains claims; the signature verifies integrity.
2 / 5
The JWT claim 'exp' stands for:
The 'exp' claim is a Unix timestamp representing the expiry time. Tokens should be rejected after this time to prevent replay attacks with stolen tokens.
3 / 5
The OAuth 2.0 Authorization Code flow with PKCE is used for:
PKCE (Proof Key for Code Exchange) solves the public client problem — mobile apps and SPAs cannot store secrets safely, so PKCE uses a code verifier/challenge instead.
4 / 5
OAuth 2.0 Client Credentials grant is appropriate for:
Client Credentials is the M2M OAuth flow — a service uses its client ID and secret to obtain an access token for calling another service, with no user interaction.
5 / 5
A 'refresh token' in OAuth 2.0 is used to:
Refresh tokens are long-lived and used to obtain short-lived access tokens silently — they keep users logged in without requiring repeated credential entry.