First, it was conceived to overcome an web exploit, called Cross site request forgery. This is well explained in the answers from the stack overflow question [1]. It is well explained well with a banking page. It will be very evident in a hacker situation.

Cross site request forgery can be simply overcome by token based authentication of the user requests by cross checking every request with a token. A token is a random number generated by the server and served with every page that is served.

On an Internet-of-Things context, it is very important when there are a lot of devices, a lot could happen even within your devices without any attacks.

OAuth is a method of authenticating using a time based token. The token verification is time based, the verification will not pass through when the token time is finished.

Looks like JWT, Json Web Tokens, is an evolved format of oauth where every communication is working on json based messages. A lot of negotiations are going on.

It is very amazing to look at the evolution of these technologies. Incase of IoT it is important to keep it simple without compromising on the level security.

References:

[1] http://stackoverflow.com/questions/5207160/what-is-a-csrf-token-what-is-its-importance-and-how-does-it-work

[2] https://en.wikipedia.org/wiki/OAuth

[3] https://en.wikipedia.org/wiki/JSON_Web_Token

[4] https://jwt.io