AI and JWT tokens: how login actually works

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-builders-ai-coding-AI-and-jwt-tokens-teen

1. What does the acronym JWT stand for?

   1. JavaScript Web Tool
   2. Java Web Token
   3. JSON Write Transfer
   4. JSON Web Token

2. A JWT is made up of three parts separated by what character?

   1. Dots
   2. Semicolons
   3. Underscores
   4. Commas

3. Which part of a JWT contains the actual user data or claims?

   1. The payload
   2. The header
   3. The signature
   4. The prefix

4. Why should sensitive information like passwords never be placed in a JWT payload?

   1. AI automatically removes passwords from JWTs
   2. The payload is only visible to the server
   3. The payload is encoded but not encrypted, so anyone can read it
   4. JWTs have a size limit that rejects passwords

5. What can you ask an AI to help you with regarding JWTs?

   1. Create a new password for your account
   2. Send login emails to users
   3. Decode a JWT and explain what the payload contains
   4. Delete a token from the server database

6. What happens when a JWT reaches its expiration time?

   1. The server sends a new token via email
   2. The user is automatically logged back in
   3. The token is added to a whitelist
   4. The token becomes invalid for authenticating requests

7. What is the purpose of token refresh logic in an application?

   1. To update the user's profile information
   2. To change the user's password
   3. To delete old tokens from the database
   4. To automatically get a new token before the current one expires

8. Which cookie flag helps protect a JWT stored in a cookie?

   1. HttpOnly flag
   2. Public flag
   3. Visible flag
   4. ReadOnly flag

9. What is the primary purpose of the signature part of a JWT?

   1. To verify the token hasn't been tampered with
   2. To store the expiration timestamp
   3. To display the user's name
   4. To encode the header information

10. For a JWT to be considered valid, it must satisfy which conditions?

    1. It must be created by a human developer
    2. It must include the user's email address
    3. It must have a valid signature and not be expired
    4. It must contain the user's password

11. What does it mean when someone says a JWT is 'stateless'?

    1. The token deletes itself after one use
    2. The token only works on certain days
    3. The server doesn't need to store token information in a database
    4. The token must be refreshed every minute

12. If you find a JWT in your browser's developer tools, what should you NEVER do?

    1. Share it with others because it represents your session
    2. Use it to make requests to the API
    3. Paste it into an AI to explain the structure
    4. Decode it to see what data it contains

13. What is one security benefit of setting a short expiration time on a JWT?

    1. It reduces the window of opportunity if the token is stolen
    2. It loads faster on mobile devices
    3. It makes the token easier to read
    4. It prevents AI from decoding it

14. Why might a developer ask an AI to add token refresh logic to their app?

    1. To increase the app's storage space
    2. To make the app run faster
    3. To delete old user accounts
    4. To keep users logged in without forcing them to log in repeatedly

15. Where can you typically find a JWT after logging into a web application?

    1. In a printed PDF
    2. In your computer's recycle bin
    3. In the browser's developer tools under Application or Network tabs
    4. In your email inbox