First, the front-end sends its username and password to the back-end interface through a web form. This process is generally an HTTP POST request. The recommended way is to use SSL encrypted transmission (https protocol) to prevent sensitive information from being sniffed.
After the backend successfully checks the user name and password, it uses the user's id and other information as the JWT Payload (load), and then base64-encodes it and the header to form a JWT. The resulting JWT is a string similar to lll.zzz.xxx.
The back end returns the JWT string as the result of successful login to the front end. The front-end can save the returned results in localStorage or sessionStorage, and the front-end can delete the saved JWT when logging out.
The front end puts the JWT into the Authorization bit in the HTTP Header every time it requests. (Solve XSS and XSRF issues)
The back-end checks whether it exists, and if it exists, it verifies the validity of the JWT. For example, check whether the signature is correct; check whether the Token has expired; check whether the recipient of the Token is himself (optional).
After the verification is passed, the backend uses the user information contained in the JWT to perform other logical operations and returns the corresponding results.