JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting information between parties. It's commonly used for authentication - after login, server issues a JWT that client sends with subsequent requests to prove identity.
JWT (JSON Web Token)
A compact, URL-safe token format for securely transmitting information between parties.
Token Structure
A JWT has three parts separated by dots: header.payload.signature
Header: Token metadata - type (JWT) and signing algorithm (HS256, RS256).
Payload: Claims - data about the user and token. Standard claims include sub (subject/user ID), exp (expiration), iat (issued at), iss (issuer).
Signature: Cryptographic hash of header + payload using a secret key. Prevents tampering.
How JWT Authentication Works
- User logs in with credentials
- Server validates credentials, creates JWT with user info
- Server sends JWT to client
- Client stores JWT (localStorage, cookie, memory)
- Client sends JWT in Authorization header:
Bearer <token> - Server verifies signature and extracts user info
- Server processes request based on user identity
Signing Algorithms
| Algorithm | Type | Use Case |
|---|---|---|
| HS256 | Symmetric | Same secret for sign/verify. Simple, fast. Single server. |
| RS256 | Asymmetric | Private key signs, public key verifies. Distributed systems. |
| ES256 | Asymmetric | Like RS256 but smaller keys, faster. Mobile apps. |
Token Expiration Strategy
Short-lived access tokens (15-60 min): Limits damage if stolen. User stays logged in with refresh tokens.
Long-lived refresh tokens (7-30 days): Stored securely, used only to get new access tokens. Can be revoked.
Sliding expiration: Each request extends expiration. Active users stay logged in.
Security Best Practices
Never store sensitive data in payload: JWTs are encoded, not encrypted. Anyone can decode and read the payload.
Use HTTPS only: Tokens in transit can be intercepted over HTTP.
Set expiration:
Always include exp claim. Short expiration limits attack window.
Validate all claims:
Check iss, aud, exp on every request. Don't just verify signature.
Secure storage: HttpOnly cookies for web (prevents XSS). Secure storage for mobile.
Use strong secrets: 256+ bits for HS256. Don't commit to git.
Common Mistakes
1. Storing JWTs in localStorage: Vulnerable to XSS attacks. Prefer HttpOnly cookies.
2. Not validating expiration:
Expired tokens should be rejected. Always check exp claim.
3. Trusting the algorithm header: Attackers can change to "none". Whitelist allowed algorithms server-side.
4. Huge payloads: JWTs go in every request. Keep payload small (< 1KB).
5. No revocation strategy: JWTs are stateless - can't invalidate before expiration. Use short expiration or token blacklist.
When to Use JWT
Good fit:
- Stateless authentication
- Microservices (pass user context)
- Single sign-on (SSO)
- API authentication
Consider alternatives:
- Session cookies for traditional web apps
- OAuth for third-party access
- API keys for service-to-service
Code Examples
JWT Authentication with Verification
import jwt from 'jsonwebtoken';
const SECRET = process.env.JWT_SECRET;
// Create token after login
function createToken(user) {
return jwt.sign(
{
sub: user.id,
email: user.email,
role: user.role
},
SECRET,
{ expiresIn: '1h' }
);
}
// Verify token middleware
function authenticate(req, res, next) {
const header = req.headers.authorization;
if (!header?.startsWith('Bearer ')) {
return res.status(401).json({ error: 'No token provided' });
}
const token = header.slice(7);
try {
const payload = jwt.verify(token, SECRET, {
algorithms: ['HS256'] // Whitelist algorithm
});
req.user = payload;
next();
} catch (err) {
if (err.name === 'TokenExpiredError') {
return res.status(401).json({ error: 'Token expired' });
}
return res.status(401).json({ error: 'Invalid token' });
}
}Related Terms
OpenAPI Specification
A standard format for describing REST APIs, enabling documentation and code generation.
Read more
API Testing
The process of verifying that APIs work correctly, securely, and perform well.
Read more
HTTP Status Codes
Standard response codes that indicate the result of an HTTP request.
Read more
Latency
The time delay between a request being sent and a response being received.
Read more