Security
What is JWT?
JSON Web Token — a compact, URL-safe token format for securely transmitting information between parties.
A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way to securely transmit information as a JSON object. JWTs are digitally signed, making their contents verifiable and trustworthy.
A JWT consists of three parts separated by dots: Header (algorithm and token type), Payload (claims about the user), and Signature (verification). All parts are Base64URL-encoded.
When to Use JWTs
- Stateless authentication in REST APIs
- Single sign-on (SSO) across services
- Securely transmitting information between services
Security Considerations
- Never store sensitive data in the payload — it is encoded, not encrypted
- Always validate the expiration (exp) claim
- Use strong signing keys and appropriate algorithms (RS256 over HS256 for public APIs)
Frequently Asked Questions
Find answers to common questions about this tool.
Yes, but with caveats. JWTs cannot be invalidated server-side without a denylist. For applications requiring immediate session revocation, server-side sessions are more appropriate.