I think its better to clarify what JWT token is. It is nothing more than a document issued by an authority. Same as your personal passport, driver license or ID card. Therefore it basically contains your claims but theoretically can contain any other information.
The key point is it can be verified by a third party without contacting the original issuer. Its a certificate. Same as when you have to show your ID or passport to identify yourself in the real life. Your ID contains several unique details and others can easily check if it was fake or real.
So JWT tokens are virtual ID cards. Issued by an authentication server as the authority. After you have the token any other service which need to identify you as valid user must decide if that token was fake or real on its own.
I recommend to read this brief introduction about the technical details:
jwt.io/introduction
So my answers to your questions:
- Never store the username/password in the token! You need username/password to authenticate the user and after if it was done you will create a token with claims associated to that user.
- No you don't need to store the token anywhere. It can be generated on-the-fly. JWT tokens are self-contained packages therefore you should not store them anywhere.
- No. They should be unique for each user within the expiration time. Each token has its own expiration time and you should generate exactly same token for the same user during this period.
- You don't need to verify the user. You need to verify the token itself. And if it seems like valid you must accept it. Just like when an officer check your ID. Because the token is a self-contained stuff you don't need to deal with any db or other storage/service. You can validate the token itself.
- You cannot logout the user. After you issued the token with the expiration time you cannot revoke that. It means every token will be valid and must be accepted until expired. Just like your personal ID card has its own expiration time. Nobody can refuse to accept your ID while its valid.
- It is different than a session. Both are bad but we don't really have any better yet.