Which of the following correctly lists the three main parts of a JSON Web Token (JWT)?

How are the Header and Payload sections of a JWT typically encoded?

What type of information is commonly stored within the Payload (claims) of an Access Token in a JWT-based authentication system?

For Single-Page Applications (SPAs) interacting with a backend API, where is an access JWT most commonly stored on the client-side?

When making authenticated requests to a backend API from a SPA, how is the JWT access token typically sent?

Explain the primary purpose of a refresh token in JWT-based authentication and briefly describe its typical flow in an SPA context.

Since JWTs are self-contained and stateless, how can a server effectively invalidate or revoke an access token before its natural expiration? Describe at least two common strategies.

Discuss the security trade-offs of storing JWT access tokens in client-side 'Local Storage' versus 'HttpOnly Cookies' for Single-Page Applications (SPAs).

Imagine a user is logging into a Single-Page Application (SPA) that uses JWT-based authentication with a backend API. Describe the entire authentication flow from the user's login attempt to subsequent access of a protected resource, including the role of refresh tokens and key security considerations. Your explanation should cover:

1. User login process (sending credentials).
2. Server-side processing (authentication, token generation, issuance).
3. Client-side handling of the issued token (storage).
4. How the client sends the token on subsequent requests to access protected resources.
5. Server-side validation of the token for protected resource access.
6. The role and typical flow of refresh tokens in maintaining user sessions.
7. Key security considerations throughout the entire process.