JSON Web Token is method of transmitting and verifying information. Each JWT is signed by a private key (e.g. on a server), so it’s easy to see if JWT is valid by using the public key.
One downside to JWT is that it cannot be easily invalidated. While you can add a timestamp to JWT and configure a TTL, once signed the JWT remains valid for the entirety of TTL. Say if the JWT is used in an API to verify permissions and the permissions are removed shortly after the JWT was issued, the user will retain those permissions for as long as the TTL lasts. A way around this is to maintain a cache of rejected JWT, though this would not be practical if the JWT is issued by another party (e.g. Firebase Auth).