Security
What is JWT?
JSON Web Token — a compact, URL-safe token format for securely transmitting information between parties.
A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way to securely transmit information as a JSON object. JWTs are digitally signed, making their contents verifiable and trustworthy.
A JWT consists of three parts separated by dots: Header (algorithm and token type), Payload (claims about the user), and Signature (verification). All parts are Base64URL-encoded.
When to Use JWTs
- Stateless authentication in REST APIs
- Single sign-on (SSO) across services
- Securely transmitting information between services
Security Considerations
- Never store sensitive data in the payload — it is encoded, not encrypted
- Always validate the expiration (exp) claim
- Use strong signing keys and appropriate algorithms (RS256 over HS256 for public APIs)
FAQ
Can JWTs be used for sessions?
Yes, but with caveats. JWTs cannot be invalidated server-side without a denylist. For applications requiring immediate session revocation, server-side sessions are more appropriate.