🛡️ Free practice test question from: JWT vs. OAuth (Security+)

OAuth 2.0 is an authorization framework: It defines a process for granting third-party applications limited access to resources without sharing user credentials. It doesn't specify a token format.  

JWT is a token format: It's a standard (RFC 7519) for representing claims securely between parties as a JSON object. It can be digitally signed or encrypted.  

OAuth 2.0 can use different token formats, but JWT is a popular and effective choice because of its self-contained nature and ability to carry claims (information about the user or the authorization). When used together:  

-> OAuth 2.0 defines how authorization is granted.  

-> JWT defines what information is carried in the access token (and sometimes refresh tokens or ID tokens).  

Basically:
You use OAuth to get an authorization grant, which you then exchange for an access token (often a JWT) and optionally a refresh token.

Therefore, JWT is a tool that can be used within the OAuth 2.0 framework, not a competing standard or the foundation upon which OAuth 2.0 is built.