What Is a JWT? (JSON Web Token) Explained
A JWT (JSON Web Token) is a compact, self-contained token format used to securely transmit claims between parties as a JSON object. Because the claims are signed, the receiver can verify the token's integrity without making a database call. JWTs are widely used for stateless authentication in APIs and single-page applications.
The Three Parts of a JWT
A JWT has three Base64URL-encoded sections separated by dots: Header.Payload.Signature. The header specifies the token type (JWT) and signing algorithm (e.g., HS256). The payload contains the claims — user ID, roles, expiration time. The signature is computed from the header and payload using a secret or private key, allowing recipients to verify authenticity.
JWT Signing Algorithms
HS256 (HMAC-SHA256) uses a shared secret key — both the issuer and verifier must hold the same secret. RS256 (RSA-SHA256) uses a public/private key pair — the issuer signs with a private key and any verifier can validate with the public key. For microservices and public APIs, RS256 or ES256 (ECDSA) are preferred as they do not require sharing a secret.
JWT Is Not Encrypted by Default
Standard JWTs (JWS — JSON Web Signature) are signed but not encrypted. The payload is Base64URL-encoded, which anyone can decode. Never store sensitive data like passwords or credit card numbers in a standard JWT payload. If confidentiality is required, use JWE (JSON Web Encryption) instead.
Common JWT Security Mistakes
1) Accepting the 'none' algorithm — verify algorithms explicitly. 2) Not validating expiration (exp claim) on every request. 3) Storing JWTs in localStorage where XSS attacks can steal them — prefer HttpOnly cookies. 4) Using weak HS256 secrets that can be brute-forced — use at least 256 bits of random data. 5) Not maintaining a token revocation list when logout is needed.