JWT (JSON Web Tokens)
A compact, URL-safe token format that encodes claims as a JSON object, digitally signed for integrity verification and optionally encrypted for confidentiality.
Description
JSON Web Tokens (JWTs) are a compact, self-contained mechanism for securely transmitting information between parties as a JSON object. A JWT consists of three parts separated by dots: a header (algorithm and token type), a payload (claims about the entity and additional metadata), and a signature (ensuring the token hasn't been tampered with). The token is base64url-encoded, making it suitable for use in URLs, HTTP headers, and cookies.
JWTs are widely used as access tokens and ID tokens in OAuth 2.0 and OpenID Connect flows. Their self-contained nature means the resource server can validate the token without making a network call to the authorization server, which is advantageous for microservices architectures. Standard claims include iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at), and nbf (not before), but custom claims can be added for application-specific data like roles or permissions.
Security considerations are critical with JWTs. Always use asymmetric signing algorithms (RS256 or ES256) in production rather than symmetric HS256 to prevent key distribution issues. Never store sensitive data in JWT payloads since they are only encoded, not encrypted (unless using JWE). Implement short expiration times for access tokens, validate all registered claims on every request, and maintain a token blacklist or use short-lived tokens with refresh token rotation for revocation support.
Prompt Snippet
Implement JWT authentication with short-lived access tokens (15 min expiry) and long-lived refresh tokens (7 day expiry) stored in HttpOnly secure cookies. Use RS256 signing with key rotation support via JWKS endpoint. Validate tokens by checking signature, exp, iss, aud, and nbf claims on every request. Include user roles and permissions as custom claims for authorization decisions. Implement token refresh endpoint that issues new access tokens without requiring re-authentication, and maintain a Redis-backed blacklist with TTL matching token expiry for immediate revocation.
Tags
Related Terms
JWT Refresh Token Rotation
A security strategy where each use of a refresh token issues a new refresh token and invalidates the old one, detecting token theft through reuse detection.
Token Revocation
The mechanism for invalidating issued access or refresh tokens before their natural expiration, typically triggered by logout, password change, or security events.
Token Blacklisting
A server-side list of revoked tokens that are checked on each request to deny access from tokens that have been invalidated before their natural expiration.
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that enables clients to verify the identity of the end-user and obtain basic profile information.
Claims-Based Identity
An identity model where user attributes and permissions are expressed as claims -- name-value pairs -- embedded in tokens or assertions, enabling decoupled and portable identity.
Session Management
The practice of securely creating, maintaining, and destroying user sessions to track authenticated state across stateless HTTP requests.