350-401 Question #640: Real Exam Question with Answer & Explanation

Question

Which definition describes JWT in regard to REST API security?

Options

• Aan encrypted JSON token that is used for authentication
• Ban encrypted JSON token that is used for authorization
• Can encoded JSON token that is used to securely exchange information
• Dan encoded JSON token that is used for authentication

Explanation

JWT (JSON Web Token) Explained

Option C is correct because JWT (JSON Web Token) is precisely defined as an encoded (not encrypted) token used to securely exchange information between parties - it can carry claims about identity, permissions, and other data, making it a general-purpose information-exchange mechanism rather than being limited to one specific security function.

Why the distractors are wrong:

• A & B are incorrect because JWT uses encoding (Base64URL), not encryption - the payload is readable if decoded, which is a critical distinction; additionally, they each only describe one use case
• D is partially correct in using "encoded," but limits JWT's purpose to only authentication, whereas JWT is broadly used to exchange any information securely (authentication, authorization, and beyond)

🧠 Memory Tip: Think of the "E" words - JWT is Encoded (not Encrypted). Use the acronym "JOSE" - JWT is part of the JSON Object Signing and Encryption framework, reminding you it's about exchanging information, not just one security task. If it were encrypted, you couldn't read it without a key - but JWT payloads are simply encoded and easily decoded.

No community discussion yet for this question.