To understand this we need to understand what is authentication?
Authentication is basically used to identify who you are. The basic Authentication includes username and password, which is used to identify who you are. But as we know that our HTTP is stateless we need to keep track of things to know what the user is doing. For example: An online shopping company, need to keep track of what your user is getting in each page or Online game should keep track on still which level the user has reached.
So to make that possible we make use of token, what token does it take your data and secret like
jwt.sign(payload, secretOrPrivateKey, [options, callback])
and gives back a token which consists of three parts
header: consist of the type of algorithm used to create the signature
payload: consist of data
signature: which consist of the encrypted part of the header and payload separated by a period
The best part of JWT is it lets you store the token in client side
So to send the token generated to the client side, we use the header X-access-token. For further sessions, this token is exchanged, not the username/password.